CVE-2025-66201
📋 TL;DR
This Server-side Request Forgery (SSRF) vulnerability in LibreChat allows authenticated users to craft malicious OpenAPI specifications that trick the LLM into making unauthorized requests from the server. Attackers could access internal services like cloud metadata endpoints, potentially enabling server impersonation. Only authenticated users with access to the Actions feature are affected.
💻 Affected Systems
- LibreChat
📦 What is this software?
Librechat by Librechat
Librechat by Librechat
Librechat by Librechat
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through cloud metadata service access, allowing attacker to obtain credentials and impersonate the server in cloud environments.
Likely Case
Unauthorized access to internal HTTP services, data exfiltration from internal APIs, or reconnaissance of internal network infrastructure.
If Mitigated
Limited impact if proper network segmentation, egress filtering, and cloud metadata service protections are in place.
🎯 Exploit Status
Exploitation requires understanding of OpenAPI specifications and ability to craft malicious specs that the LLM will process.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.8.1-rc2
Vendor Advisory: https://github.com/danny-avila/LibreChat/security/advisories/GHSA-7m2q-fjwr-5x8v
Restart Required: Yes
Instructions:
1. Update LibreChat to version 0.8.1-rc2 or later. 2. Restart the LibreChat service. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable Actions Feature
allTemporarily disable the Actions feature that processes OpenAPI specifications
Modify LibreChat configuration to disable actions/OpenAPI functionality
Network Egress Filtering
linuxImplement strict outbound firewall rules to block access to internal services and cloud metadata endpoints
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
🧯 If You Can't Patch
- Restrict user access to Actions feature to trusted administrators only
- Implement network segmentation to isolate LibreChat server from sensitive internal services
🔍 How to Verify
Check if Vulnerable:
Check LibreChat version; if version is below 0.8.1-rc2 and Actions feature is enabled, system is vulnerable.Check Version:
Check package.json or application configuration for version numberVerify Fix Applied:
Verify LibreChat version is 0.8.1-rc2 or higher and test that malicious OpenAPI specs no longer trigger unauthorized requests.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from LibreChat server
- Requests to internal IP addresses or cloud metadata endpoints
- Multiple failed attempts to access restricted endpoints
Network Indicators:
- HTTP requests from LibreChat server to internal network ranges
- Requests to cloud metadata services (169.254.169.254 for AWS)
SIEM Query:
source="librechat" AND (dest_ip=169.254.169.254 OR dest_ip IN [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12])