CVE-2025-69222
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Lifecycle Timeline
4Description
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 is prone to a server-side request forgery (SSRF) vulnerability due to missing restrictions of the Actions feature in the default configuration. LibreChat enables users to configure agents with predefined instructions and actions that can interact with remote services via OpenAPI specifications, supporting various HTTP methods, parameters, and authentication methods including custom headers. By default, there are no restrictions on accessible services, which means agents can also access internal components like the RAG API included in the default Docker Compose setup. This issue is fixed in version 0.8.1-rc2.
Analysis
LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests to internal networks. By configuring agents with malicious OpenAPI specifications, attackers can scan internal infrastructure and access internal services. PoC available, patch available.
Technical Context
The Actions feature allows configuring agents with OpenAPI specifications that define HTTP endpoints (CWE-918). The server makes requests to these endpoints without validating that they are external. An authenticated user can specify internal IP addresses, accessing cloud metadata services, internal APIs, and other restricted resources.
Affected Products
LibreChat 0.8.1-rc2
Remediation
Update LibreChat. Implement SSRF protections: block requests to private IP ranges, cloud metadata services, and localhost.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today