fix: Server-Side Request Forgery (SSRF) in HTMLHeaderTextSplitter.split_text_from_url (#35196)

libs/text-splitters/langchain_text_splitters/html.py

@@ -205,6 +205,11 @@ class HTMLHeaderTextSplitter:
         Raises:
             requests.RequestException: If the HTTP request fails.
         """
+        from langchain_core._security._ssrf_protection import (  # noqa: PLC0415
+            validate_safe_url,
+        )
+
+        validate_safe_url(url, allow_private=False, allow_http=True)
         response = requests.get(url, timeout=timeout, **kwargs)
         response.raise_for_status()
         return self.split_text(response.text)

libs/text-splitters/pyproject.toml

@@ -25,7 +25,7 @@ classifiers = [
 version = "1.1.0"
 requires-python = ">=3.10.0,<4.0.0"
 dependencies = [
-    "langchain-core>=1.2.0,<2.0.0",
+    "langchain-core>=1.2.12,<2.0.0",
 ]
 
 [project.urls]

libs/text-splitters/uv.lock

@@ -1,5 +1,5 @@
 version = 1
-revision = 3
+revision = 2
 requires-python = ">=3.10.0, <4.0.0"
 resolution-markers = [
     "python_full_version >= '3.14'",
@@ -1175,7 +1175,7 @@ wheels = [
 
 [[package]]
 name = "langchain-core"
-version = "1.2.11"
+version = "1.2.12"
 source = { editable = "../core" }
 dependencies = [
     { name = "jsonpatch" },