Skip to main content

Librechat CVE-2026-31943

| EUVDEUVD-2026-16764 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-27 GitHub_M
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:12 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
0.8.3
EUVD ID Assigned
Mar 27, 2026 - 19:45 euvd
EUVD-2026-16764
Analysis Generated
Mar 27, 2026 - 19:45 vuln.today
CVE Published
Mar 27, 2026 - 19:21 nvd
HIGH 8.5

DescriptionGitHub Advisory

LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, isPrivateIP() in packages/api/src/auth/domain.ts fails to detect IPv4-mapped IPv6 addresses in their hex-normalized form, allowing any authenticated user to bypass SSRF protection and make the server issue HTTP requests to internal network resources - including cloud metadata services (e.g., AWS 169.254.169.254), loopback, and RFC1918 ranges. Version 0.8.3 fixes the issue.

AnalysisAI

Server-Side Request Forgery (SSRF) in LibreChat versions prior to 0.8.3 allows authenticated users to bypass IP validation and force the application server to make HTTP requests to internal network resources. The vulnerability stems from improper validation of IPv4-mapped IPv6 addresses in hex-normalized form, enabling access to cloud metadata services (AWS 169.254.169.254), loopback addresses, and RFC1918 private networks. With EPSS data unavailable and no CISA KEV listing, no public exploit identified at time of analysis, though the specific bypass technique (hex-normalized IPv4-mapped IPv6) is well-documented in SSRF research.

Technical ContextAI

The vulnerability exists in the isPrivateIP() function within packages/api/src/auth/domain.ts of LibreChat, an open-source ChatGPT alternative. The function implements SSRF protection by validating IP addresses before allowing HTTP requests, but fails to properly detect IPv4-mapped IPv6 addresses when presented in hex-normalized format (e.g., 0xA9FEA9FE representing 169.254.169.254). IPv4-mapped IPv6 addresses use the format ::ffff:a.b.c.d, but can be obfuscated through various encoding schemes. This represents a classic CWE-918 (Server-Side Request Forgery) implementation flaw where input validation fails to account for alternative IP address representations. The affected product (cpe:2.3:a:danny-avila:librechat) is a Node.js-based application that likely uses user-supplied URLs for legitimate features like web scraping or API integrations, which becomes the attack vector when validation is bypassed.

RemediationAI

Upgrade immediately to LibreChat version 0.8.3 or later, which includes fixes to the isPrivateIP() validation function in packages/api/src/auth/domain.ts to properly detect hex-normalized IPv4-mapped IPv6 addresses. Organizations should verify the update by testing that requests to internal IP addresses in various encoding formats (standard dotted decimal, hex, octal, IPv4-mapped IPv6) are properly blocked. As a defense-in-depth measure pending upgrade, implement network-level controls such as egress filtering to prevent the LibreChat server from accessing cloud metadata endpoints (169.254.169.254, fd00:ec2::254) and internal RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Review application logs for suspicious outbound requests to internal IP ranges that may indicate prior exploitation. Consult the GitHub security advisory at https://github.com/danny-avila/LibreChat/security/advisories/GHSA-w5r7-4f94-vp4c for additional vendor-specific guidance and validation steps.

CVE-2024-11170 HIGH POC
8.8 Mar 20

A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of f

CVE-2024-10361 CRITICAL POC
9.1 Mar 20

An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /ap

CVE-2025-69222 CRITICAL POC
9.1 Jan 07

LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests

CVE-2026-22252 CRITICAL POC
9.1 Jan 12

LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through

CVE-2025-66201 HIGH POC
8.6 Nov 29

LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely ex

CVE-2024-11171 HIGH POC
7.5 Mar 20

In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (

CVE-2025-69220 HIGH POC
7.1 Jan 07

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file

CVE-2024-11173 MEDIUM POC
6.5 Mar 20

An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, lead

CVE-2024-10366 MEDIUM POC
6.5 Mar 20

An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat

CVE-2024-41704 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), th

CVE-2024-41703 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this v

CVE-2026-32625 CRITICAL
9.6 Jun 02

{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to

Share

CVE-2026-31943 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy