A critical server-side request forgery (SSRF) vulnerability has been identified in LibreChat, a popular open-source AI chat platform. This flaw allows an authenticated user to force the application's server to make unauthorized requests to internal network services, potentially leading to sensitive data exposure and further network compromise. Due to the high severity and the vulnerability's presence in the default configuration, immediate remediation is strongly advised.

The vulnerability is a Server-Side Request Forgery (SSRF) within the "Actions" feature of LibreChat. This feature allows users to configure agents that can interact with external services through OpenAPI specifications. The default configuration lacks restrictions on which URLs or IP addresses these actions can target. An attacker with the ability to configure an agent can create a malicious action pointing to an internal, non-public service (e.g., http://127.0.0.1/api or an internal corporate server). When this action is triggered, the LibreChat server will execute the request, effectively bypassing firewall rules and allowing the attacker to interact with, scan, and potentially exfiltrate data from sensitive internal systems like the RAG API.

This vulnerability is rated as critical severity with a CVSS score of 9.1, posing a significant risk to the organization. Successful exploitation could lead to unauthorized access to internal network resources, theft of confidential data from internal databases and APIs, and comprehensive reconnaissance of the internal network architecture. An attacker could leverage this access to pivot to other systems, potentially leading to a more widespread network compromise, loss of intellectual property, and reputational damage.

Immediate Action: Immediately upgrade all instances of LibreChat to the fixed version (0.8.1-rc2) or the latest available version as recommended by the vendor. After patching, review server access logs and application logs for any signs of exploitation, such as unexpected requests originating from the LibreChat server to internal IP addresses.

Proactive Monitoring: Monitor all outbound network traffic from the LibreChat server. Specifically, look for and alert on any HTTP/S requests destined for internal or loopback IP address ranges (e.g., 127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Regularly audit agent configurations within LibreChat for any actions that point to suspicious or internal endpoints.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Apply strict network egress filtering rules on the host firewall of the LibreChat server to block all outbound connections to internal network segments.
• If possible within the application's configuration, disable the "Actions" feature for all non-administrative or untrusted users.
• Place the LibreChat instance behind a Web Application Firewall (WAF) with rules designed to detect and block common SSRF attack patterns.

Public Exploit Available: false

Given the critical CVSS score of 9.1 and the potential for direct access to internal network resources, this vulnerability requires immediate attention. We strongly recommend that all affected LibreChat instances be patched to version 0.8.1-rc2 or newer without delay. Although this CVE is not currently listed on the CISA KEV list, its severity and the ease of exploitation in a default setup make it a critical risk that should be prioritized for remediation.