Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66201

CVE-2025-66201: LibreChat SSRF Vulnerability

CVE-2025-66201 is a Server-Side Request Forgery flaw in LibreChat that allows authenticated users to access internal URLs via crafted OpenAPI specs. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-66201 Overview

CVE-2025-66201 is a Server-Side Request Forgery (SSRF) vulnerability in LibreChat, an open-source ChatGPT clone. The flaw affects all versions prior to 0.8.1-rc2 and resides in the application's "Actions" feature, which consumes OpenAPI specifications to extend large language model (LLM) capabilities. An authenticated user with access to this feature can supply a crafted OpenAPI spec that causes the LibreChat server to issue requests to internal URLs. Attackers can reach cloud metadata services, potentially enabling impersonation of the server's identity. The issue is tracked under [CWE-918] and [CWE-20] and has been patched in version 0.8.1-rc2.

Critical Impact

Authenticated attackers can pivot through the LibreChat server to reach internal services and cloud instance metadata endpoints, exposing credentials and enabling identity impersonation.

Affected Products

  • LibreChat versions prior to 0.8.1-rc2
  • LibreChat 0.8.1 (initial release)
  • LibreChat 0.8.1-rc1

Discovery Timeline

  • 2025-11-29 - CVE-2025-66201 published to NVD
  • 2025-12-03 - Last updated in NVD database

Technical Details for CVE-2025-66201

Vulnerability Analysis

LibreChat's Actions feature allows users to register external tools by uploading OpenAPI specifications. The LLM then invokes the endpoints declared in those specs on behalf of the user. The server fetches and acts upon URLs derived from the user-supplied spec without enforcing destination restrictions. This design permits an authenticated user to point those requests at internal addresses reachable only from the LibreChat host.

The consequences extend beyond ordinary internal reconnaissance. Cloud providers expose instance metadata at link-local endpoints such as 169.254.169.254. A successful request to these endpoints can leak temporary credentials, IAM role tokens, and configuration data, depending on the cloud environment and metadata service version in use.

Root Cause

The root cause is improper input validation [CWE-20] of OpenAPI specifications combined with missing egress controls on outbound HTTP requests [CWE-918]. LibreChat trusts the host and path values from the spec when constructing requests issued by the Actions handler. No allowlist, IP-range filter, or DNS rebinding protection prevents requests to private, loopback, or link-local ranges.

Attack Vector

The attacker must authenticate to a LibreChat instance and possess permission to create or use Actions. The attacker uploads an OpenAPI specification whose server URL or operation paths reference internal targets, such as http://169.254.169.254/latest/meta-data/ on AWS or http://metadata.google.internal/ on Google Cloud. Triggering the action through normal LLM interaction causes the server to perform the request and return the response content into the conversation context. The attacker reads the response and harvests credentials or internal service data.

No verified public exploit code is available. See the GitHub Security Advisory GHSA-7m2q-fjwr-5x8v for vendor technical details.

Detection Methods for CVE-2025-66201

Indicators of Compromise

  • Outbound HTTP requests from the LibreChat server process to link-local addresses such as 169.254.169.254 or metadata.google.internal.
  • Newly created or modified Actions containing OpenAPI servers entries pointing to private IP ranges (RFC1918), loopback, or cloud metadata hostnames.
  • Unexpected access patterns in cloud audit logs originating from the LibreChat workload identity.

Detection Strategies

  • Inspect LibreChat application logs for Action invocations whose target host resolves to internal or link-local addresses.
  • Review the Actions configuration store for OpenAPI specs containing internal hostnames, IP literals, or non-standard schemes.
  • Correlate LLM conversation events with outbound network flows from the LibreChat container or host to detect SSRF response exfiltration.

Monitoring Recommendations

  • Enable IMDSv2 on AWS workloads and alert on any IMDSv1 calls originating from the LibreChat host.
  • Forward LibreChat application logs and host network telemetry to a centralized analytics platform for behavioral baselining.
  • Monitor for spikes in 4xx/5xx outbound responses that could indicate SSRF probing of internal services.

How to Mitigate CVE-2025-66201

Immediate Actions Required

  • Upgrade LibreChat to version 0.8.1-rc2 or later, which contains the official fix.
  • Audit all existing Actions and remove any OpenAPI specifications referencing private, loopback, or metadata addresses.
  • Rotate any cloud credentials or IAM role tokens that may have been exposed through the LibreChat instance metadata endpoint.

Patch Information

The maintainers patched the issue in LibreChat 0.8.1-rc2. Details are published in the LibreChat GitHub Security Advisory GHSA-7m2q-fjwr-5x8v. Operators running self-hosted deployments should pull the patched container image or update their source checkout and redeploy.

Workarounds

  • Restrict access to the Actions feature to trusted administrative users through role-based controls until the patch is applied.
  • Enforce network egress filtering on the LibreChat host to block outbound traffic to RFC1918, loopback, and 169.254.0.0/16 ranges.
  • Require IMDSv2 with session tokens on AWS workloads to prevent unauthenticated metadata access via SSRF.
bash
# Example egress restriction using iptables on the LibreChat host
iptables -A OUTPUT -d 169.254.169.254 -j REJECT
iptables -A OUTPUT -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -d 127.0.0.0/8 -j REJECT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.