From 60b3f8bfd1e576f825b1ed0d5d20da5e91d89bfe Mon Sep 17 00:00:00 2001 From: Andriy Lysyuk Date: Fri, 1 May 2026 08:50:46 +0200 Subject: [PATCH] fix(security): extend langchain-core SSRF suppress to 2026-07-30 (ENG-12311) GHSA-2g6r-c272-w58r / CVE-2026-26013: langchain-core SSRF via image_url token counting. Fix requires langchain-core 0.3.x -> 1.2.11 (breaking major change). No semver-compatible fix available. Extends suppress 2026-06-15 -> 2026-07-30. Co-Authored-By: Claude Sonnet 4.6 --- osv-scanner.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/osv-scanner.toml b/osv-scanner.toml index 062e24dc..dc6a5af4 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -5,8 +5,8 @@ reason = "langchain-text-splitters SSRF redirect bypass in HTMLHeaderTextSplitte [[IgnoredVulns]] id = "GHSA-2g6r-c272-w58r" -ignoreUntil = 2026-06-15 -reason = "langchain-core SSRF via image_url token counting (LOW). Fix requires upgrading langchain-core 0.3.x -> 1.2.11, a breaking major version change incompatible with our ^0.3.15 constraint. No semver-compatible fix available." +ignoreUntil = 2026-07-30 +reason = "langchain-core SSRF via image_url token counting (LOW, CVE-2026-26013). Fix requires upgrading langchain-core 0.3.x -> 1.2.11, a breaking major version change incompatible with our ^0.3.15 constraint. No semver-compatible fix available. ENG-12311." [[IgnoredVulns]] id = "GHSA-qh6h-p6c9-ff54"