From 1493b4c5eed3b6c08358a5ce5d890bc8b52b4874 Mon Sep 17 00:00:00 2001
From: "corridor-security[bot]"
 <203152403+corridor-security[bot]@users.noreply.github.com>
Date: Thu, 12 Feb 2026 18:48:05 -0500
Subject: [PATCH] fix: Server-Side Request Forgery (SSRF) in
 HTMLHeaderTextSplitter.split_text_from_url (#35196)

---
 libs/text-splitters/langchain_text_splitters/html.py | 5 +++++
 libs/text-splitters/pyproject.toml                   | 2 +-
 libs/text-splitters/uv.lock                          | 4 ++--
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/libs/text-splitters/langchain_text_splitters/html.py b/libs/text-splitters/langchain_text_splitters/html.py
index d0c2c67b68f..94ebbe5d411 100644
--- a/libs/text-splitters/langchain_text_splitters/html.py
+++ b/libs/text-splitters/langchain_text_splitters/html.py
@@ -205,6 +205,11 @@ class HTMLHeaderTextSplitter:
         Raises:
             requests.RequestException: If the HTTP request fails.
         """
+        from langchain_core._security._ssrf_protection import (  # noqa: PLC0415
+            validate_safe_url,
+        )
+
+        validate_safe_url(url, allow_private=False, allow_http=True)
         response = requests.get(url, timeout=timeout, **kwargs)
         response.raise_for_status()
         return self.split_text(response.text)
diff --git a/libs/text-splitters/pyproject.toml b/libs/text-splitters/pyproject.toml
index 5e61f618b68..8573c3f207c 100644
--- a/libs/text-splitters/pyproject.toml
+++ b/libs/text-splitters/pyproject.toml
@@ -25,7 +25,7 @@ classifiers = [
 version = "1.1.0"
 requires-python = ">=3.10.0,<4.0.0"
 dependencies = [
-    "langchain-core>=1.2.0,<2.0.0",
+    "langchain-core>=1.2.12,<2.0.0",
 ]
 
 [project.urls]
diff --git a/libs/text-splitters/uv.lock b/libs/text-splitters/uv.lock
index fa3df05a8f7..bc4c7542576 100644
--- a/libs/text-splitters/uv.lock
+++ b/libs/text-splitters/uv.lock
@@ -1,5 +1,5 @@
 version = 1
-revision = 3
+revision = 2
 requires-python = ">=3.10.0, <4.0.0"
 resolution-markers = [
     "python_full_version >= '3.14'",
@@ -1175,7 +1175,7 @@ wheels = [
 
 [[package]]
 name = "langchain-core"
-version = "1.2.11"
+version = "1.2.12"
 source = { editable = "../core" }
 dependencies = [
     { name = "jsonpatch" },