Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, isPrivateIP() in packages/api/src/auth/domain.ts fails to detect IPv4-mapped IPv6 addresses in their hex-normalized form, allowing any authenticated user to bypass SSRF protection and make the server issue HTTP requests to internal network resources - including cloud metadata services (e.g., AWS 169.254.169.254), loopback, and RFC1918 ranges. Version 0.8.3 fixes the issue.
AnalysisAI
Server-Side Request Forgery (SSRF) in LibreChat versions prior to 0.8.3 allows authenticated users to bypass IP validation and force the application server to make HTTP requests to internal network resources. The vulnerability stems from improper validation of IPv4-mapped IPv6 addresses in hex-normalized form, enabling access to cloud metadata services (AWS 169.254.169.254), loopback addresses, and RFC1918 private networks. With EPSS data unavailable and no CISA KEV listing, no public exploit identified at time of analysis, though the specific bypass technique (hex-normalized IPv4-mapped IPv6) is well-documented in SSRF research.
Technical ContextAI
The vulnerability exists in the isPrivateIP() function within packages/api/src/auth/domain.ts of LibreChat, an open-source ChatGPT alternative. The function implements SSRF protection by validating IP addresses before allowing HTTP requests, but fails to properly detect IPv4-mapped IPv6 addresses when presented in hex-normalized format (e.g., 0xA9FEA9FE representing 169.254.169.254). IPv4-mapped IPv6 addresses use the format ::ffff:a.b.c.d, but can be obfuscated through various encoding schemes. This represents a classic CWE-918 (Server-Side Request Forgery) implementation flaw where input validation fails to account for alternative IP address representations. The affected product (cpe:2.3:a:danny-avila:librechat) is a Node.js-based application that likely uses user-supplied URLs for legitimate features like web scraping or API integrations, which becomes the attack vector when validation is bypassed.
RemediationAI
Upgrade immediately to LibreChat version 0.8.3 or later, which includes fixes to the isPrivateIP() validation function in packages/api/src/auth/domain.ts to properly detect hex-normalized IPv4-mapped IPv6 addresses. Organizations should verify the update by testing that requests to internal IP addresses in various encoding formats (standard dotted decimal, hex, octal, IPv4-mapped IPv6) are properly blocked. As a defense-in-depth measure pending upgrade, implement network-level controls such as egress filtering to prevent the LibreChat server from accessing cloud metadata endpoints (169.254.169.254, fd00:ec2::254) and internal RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Review application logs for suspicious outbound requests to internal IP ranges that may indicate prior exploitation. Consult the GitHub security advisory at https://github.com/danny-avila/LibreChat/security/advisories/GHSA-w5r7-4f94-vp4c for additional vendor-specific guidance and validation steps.
A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of f
An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /ap
LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests
LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through
LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely ex
In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file
An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, lead
An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat
LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), th
LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this v
{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16764