Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-reachable with low complexity, but needs an authenticated account (PR:L); SSRF pivots beyond the app (S:C) to disclose internal data (C:H), with no integrity or availability effect.
Primary rating from Vendor (GitHub_M).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionNVD
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, LibreChat allows users to configure custom OpenAI-compatible API endpoints by setting a baseURL. This URL is used to construct HTTP requests without any SSRF validation - no private IP check, no scheme restriction, no DNS pinning. An authenticated user can set baseURL to internal network addresses. This vulnerability is fixed in 0.8.4-rc1.
AnalysisAI
Server-side request forgery in LibreChat before 0.8.4-rc1 lets any authenticated user point a custom OpenAI-compatible endpoint baseURL at internal network addresses, because the URL is used to build HTTP requests with no SSRF validation whatsoever - no private-IP blocking, no scheme restriction, and no DNS pinning. By abusing the legitimate custom-endpoint feature, a logged-in user can coerce the server into reaching internal-only services and returning their responses, with a CVSS 3.1 score of 7.7 driven by a changed scope and high confidentiality impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated LibreChat account (PR:L) and that the instance permits users to configure custom OpenAI-compatible endpoints by supplying a baseURL - the exact feature named in the advisory. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are moderately strong but not emergency-level. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or uses an existing low-privilege account on a LibreChat instance, adds a custom OpenAI-compatible provider, and sets its baseURL to an internal target such as http://169.254.169.254/latest/meta-data/ or an internal admin service. When they trigger a chat completion against that provider, the LibreChat server makes the request from inside the trusted network and returns the response content to the attacker, disclosing cloud credentials or internal data. … |
| Remediation | Vendor-released patch: upgrade LibreChat to 0.8.4-rc1 or later, which adds the missing SSRF controls - this is the primary and recommended fix, per the advisory at https://github.com/danny-avila/LibreChat/security/advisories/GHSA-gc9r-88c3-7qhq. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all LibreChat deployments and document current versions; audit account access and restrict to essential personnel only; review server logs for suspicious custom endpoint configuration. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of f
An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /ap
LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests
LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through
LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely ex
In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file
An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, lead
An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat
LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), th
LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this v
{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39460