chore(deps): update dependency langchain-openai to v1.1.14 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
langchain-openai (changelog)	1.1.10 → 1.1.14

---

langchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding

CVE-2026-41488 / GHSA-r7w7-9xr2-qq2r

More information

Details

Summary

langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.

The practical impact is limited because the fetched response body is passed directly to Pillow's Image.open() to extract dimensions — the response content is never returned, logged, or otherwise exposed to the caller. An attacker cannot exfiltrate data from internal services through this path. A potential risk is blind probing (inferring whether an internal host/port is open based on timing or error behavior).

Affected versions

• langchain-openai < 1.1.14

Patched versions

• langchain-openai >= 1.1.14 (requires langchain-core >= 1.2.31)

Affected code

File: libs/partners/openai/langchain_openai/chat_models/base.py — _url_to_size()

The vulnerable pattern was a validate-then-fetch with separate DNS resolution:

validate_safe_url(image_source, allow_private=False, allow_http=True)

##### ... separate network operation with independent DNS resolution ...
response = httpx.get(image_source, timeout=timeout)

Fix

The fix replaces the validate-then-fetch pattern with an SSRF-safe httpx transport (SSRFSafeSyncTransport from langchain-core) that:

• Resolves DNS once and validates all returned IPs against a policy (private ranges, cloud metadata, localhost, k8s internal DNS)
• Pins the connection to the validated IP, eliminating the DNS rebinding window
• Disables redirect following to prevent redirect-based SSRF bypasses

This fix was released in langchain-openai 1.1.14.

Severity

• CVSS Score: 3.1 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

References

• https://github.com/langchain-ai/langchain/security/advisories/GHSA-r7w7-9xr2-qq2r
• https://nvd.nist.gov/vuln/detail/CVE-2026-41488
• https://github.com/langchain-ai/langchain

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.