langchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding

Summary

langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.

The practical impact is limited because the fetched response body is passed directly to Pillow's Image.open() to extract dimensions — the response content is never returned, logged, or otherwise exposed to the caller. An attacker cannot exfiltrate data from internal services through this path. A potential risk is blind probing (inferring whether an internal host/port is open based on timing or error behavior).

Affected versions

• langchain-openai < 1.1.14

Patched versions

• langchain-openai >= 1.1.14 (requires langchain-core >= 1.2.31)

Affected code

File: libs/partners/openai/langchain_openai/chat_models/base.py — _url_to_size()

The vulnerable pattern was a validate-then-fetch with separate DNS resolution:

validate_safe_url(image_source, allow_private=False, allow_http=True)
# ... separate network operation with independent DNS resolution ...
response = httpx.get(image_source, timeout=timeout)

Fix

The fix replaces the validate-then-fetch pattern with an SSRF-safe httpx transport (SSRFSafeSyncTransport from langchain-core) that:

• Resolves DNS once and validates all returned IPs against a policy (private ranges, cloud metadata, localhost, k8s internal DNS)
• Pins the connection to the validated IP, eliminating the DNS rebinding window
• Disables redirect following to prevent redirect-based SSRF bypasses

This fix was released in langchain-openai 1.1.14.