Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-69221

CVE-2025-69221: LibreChat Information Disclosure Flaw

CVE-2025-69221 is an information disclosure vulnerability in LibreChat that allows authenticated attackers to read agent permissions without authorization. This article covers technical details, affected versions, and mitigations.

Updated:

CVE-2025-69221 Overview

CVE-2025-69221 is an Improper Access Control vulnerability (CWE-284) affecting LibreChat, an open-source ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control when querying agent permissions, allowing an authenticated attacker to read the permissions of arbitrary agents, even if they have no permissions for that specific agent.

LibreChat allows the configuration of agents that have a predefined set of instructions and context. Private agents are designed to be invisible to other users. However, if an attacker knows the agent ID, they can read the permissions of the agent including permissions individually assigned to other users, leading to information disclosure about agent configurations and user access patterns.

Critical Impact

Authenticated users can enumerate and read permissions for private agents they should not have access to, potentially exposing sensitive configuration details and user permission assignments.

Affected Products

  • LibreChat version 0.8.1-rc2
  • Earlier versions may also be affected

Discovery Timeline

  • 2026-01-07 - CVE-2025-69221 published to NVD
  • 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-69221

Vulnerability Analysis

This vulnerability stems from missing authorization checks in the agent permission query endpoint. When a user queries for agent permissions, the application fails to verify whether the requesting user has appropriate access rights to view that agent's permission data. This allows any authenticated user who knows or can guess an agent ID to retrieve sensitive permission information.

The attack surface is network-accessible and requires low privileges (any authenticated user), making it relatively straightforward to exploit. The impact is limited to confidentiality exposure of permission data without affecting system integrity or availability.

Root Cause

The root cause is Improper Access Control (CWE-284) in the permission query functionality. The application did not implement the canAccessResource middleware check for permission-related operations, allowing users to bypass the intended access restrictions on private agents. Specifically, the endpoint handling permission queries lacked verification that the requesting user possesses the required SHARE permission for the target resource.

Attack Vector

An authenticated attacker can exploit this vulnerability through the following attack vector:

  1. Authenticate to the LibreChat application with any valid user account
  2. Obtain or enumerate agent IDs (which may be predictable or leaked through other means)
  3. Query the permission endpoint for arbitrary agent IDs
  4. Retrieve permission data including user assignments for private agents

The attack requires network access and valid authentication credentials, but no special permissions beyond basic user access.

javascript
// Security patch in api/server/routes/accessPermissions.js
// Source: https://github.com/danny-avila/LibreChat/commit/06ba025bd95574c815ac6968454be7d3b024391c

  */
 router.get('/:resourceType/roles', getResourceRoles);
 
+/**
+ * Middleware factory to check resource access for permission-related operations.
+ * SECURITY: Users must have SHARE permission to view or modify resource permissions.
+ * @param {string} requiredPermission - The permission bit required (e.g., SHARE)
+ * @returns Express middleware function
+ */
+const checkResourcePermissionAccess = (requiredPermission) => (req, res, next) => {
+  const { resourceType } = req.params;
+  let middleware;
+
+  if (resourceType === ResourceType.AGENT) {
+    middleware = canAccessResource({
+      resourceType: ResourceType.AGENT,
+      requiredPermission,
+      resourceIdParam: 'resourceId',
+    });
+  } else if (resourceType === ResourceType.PROMPTGROUP) {
+    middleware = canAccessResource({
+      resourceType: ResourceType.PROMPTGROUP,
+      requiredPermission,
+      resourceIdParam: 'resourceId',
+    });
+  } else if (resourceType === ResourceType.MCPSERVER) {
+    middleware = canAccessResource({
+      resourceType: ResourceType.MCPSERVER,
+      requiredPermission,
+      resourceIdParam: 'resourceId',

Source: GitHub Commit Details

Detection Methods for CVE-2025-69221

Indicators of Compromise

  • Unusual patterns of permission queries from authenticated users targeting multiple agent IDs
  • Access logs showing permission endpoint requests for agents the user does not own or have share access to
  • Enumeration attempts visible as sequential or bulk queries to the permission routes

Detection Strategies

  • Monitor API logs for requests to /:resourceType/roles endpoints with agent IDs not belonging to the requesting user
  • Implement alerting on high-volume permission queries from single user accounts
  • Review authentication logs for accounts exhibiting reconnaissance behavior patterns

Monitoring Recommendations

  • Enable detailed logging on the accessPermissions.js route handlers
  • Set up anomaly detection for permission query frequency and scope
  • Correlate permission query logs with agent ownership data to identify unauthorized access attempts

How to Mitigate CVE-2025-69221

Immediate Actions Required

  • Upgrade LibreChat to version 0.8.2-rc2 or later immediately
  • Audit logs for any suspicious permission query activity prior to patching
  • Review agent configurations that may have been exposed and assess potential impact

Patch Information

The vulnerability has been fixed in LibreChat version 0.8.2-rc2. The patch implements a new middleware factory checkResourcePermissionAccess that enforces the SHARE permission requirement before allowing users to view or modify resource permissions. This ensures that only users with appropriate access rights can query permission data for agents, prompt groups, and MCP servers.

For more details, see the:

Workarounds

  • If immediate patching is not possible, consider restricting access to the LibreChat instance to trusted users only
  • Implement network-level access controls to limit who can authenticate to the application
  • Monitor permission query endpoints closely until the patch can be applied
bash
# Update LibreChat to patched version
cd /path/to/LibreChat
git fetch --tags
git checkout v0.8.2-rc2
npm install
npm run build
# Restart the application

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.