CVE-2025-69222 Overview
CVE-2025-69222 is a Server-Side Request Forgery (SSRF) vulnerability affecting LibreChat, a popular open-source ChatGPT clone with enhanced features. The vulnerability exists in version 0.8.1-rc2 due to missing restrictions on the Actions feature in the default configuration. LibreChat enables users to configure agents with predefined instructions and actions that can interact with remote services via OpenAPI specifications, supporting various HTTP methods, parameters, and authentication methods including custom headers. By default, there are no restrictions on accessible services, allowing agents to access internal components like the RAG API included in the default Docker Compose setup.
Critical Impact
Attackers with low privileges can exploit this SSRF vulnerability to access internal services and components, potentially leading to unauthorized data access, internal network reconnaissance, and compromise of backend systems in LibreChat deployments.
Affected Products
- LibreChat version 0.8.1-rc2
- LibreChat deployments using default Docker Compose configuration
- LibreChat instances with unrestricted Actions feature
Discovery Timeline
- 2026-01-07 - CVE-2025-69222 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-69222
Vulnerability Analysis
This vulnerability is classified under CWE-918 (Server-Side Request Forgery). The SSRF flaw allows authenticated users to abuse the Actions feature to make arbitrary HTTP requests from the server to internal or external destinations. The core issue stems from the lack of URL validation and network segmentation controls in the default configuration.
The Actions feature in LibreChat is designed to enable agents to interact with external services through OpenAPI specifications. However, the implementation fails to enforce allowlists or blocklists for target URLs, enabling users to craft requests targeting internal infrastructure. This is particularly concerning in containerized environments where the default Docker Compose setup includes the RAG API as an accessible internal component.
An attacker with basic user-level access can configure a malicious agent that targets internal endpoints such as http://localhost, http://127.0.0.1, cloud metadata endpoints like http://169.254.169.254, or other internal services within the Docker network. This enables reconnaissance of internal network topology, access to sensitive configuration data, and potential lateral movement within the infrastructure.
Root Cause
The root cause of this vulnerability is the absence of network access restrictions and URL validation in the Actions feature's default configuration. LibreChat's design allows agents to make HTTP requests to arbitrary URLs without validating whether the destination is an internal or external resource. The default Docker Compose setup exacerbates this issue by placing multiple services on the same network without proper isolation, making internal components like the RAG API directly accessible via SSRF.
Attack Vector
The attack vector is network-based, requiring the attacker to have low-level authentication (PR:L) to configure agents within LibreChat. No user interaction is required for exploitation. An attacker creates a custom agent with an OpenAPI specification pointing to internal endpoints or sensitive external services. When the agent executes, the LibreChat server makes requests on behalf of the attacker, bypassing network-level access controls and potentially exposing internal services, cloud metadata, or other protected resources.
The vulnerability allows requests to be crafted with various HTTP methods and custom headers, increasing the attack surface and potential impact. In cloud environments, attackers could target instance metadata services to extract credentials, while in on-premises deployments, they could map internal networks and access administrative interfaces.
Detection Methods for CVE-2025-69222
Indicators of Compromise
- Unusual outbound HTTP requests from the LibreChat server to internal IP ranges (e.g., 127.0.0.1, 10.x.x.x, 172.16-31.x.x, 192.168.x.x)
- Agent configurations containing suspicious OpenAPI specifications targeting localhost, cloud metadata endpoints, or internal service URLs
- Unexpected access patterns to the RAG API or other internal Docker services from the LibreChat application container
- HTTP requests to cloud metadata endpoints (e.g., 169.254.169.254) originating from the LibreChat server
Detection Strategies
- Monitor network traffic from the LibreChat container for connections to internal IP ranges, localhost, or link-local addresses
- Implement application-level logging to capture all agent-initiated HTTP requests, including target URLs and response codes
- Deploy web application firewall (WAF) rules to detect and block common SSRF payloads in agent configurations
- Review agent configurations for suspicious OpenAPI specifications referencing internal endpoints
Monitoring Recommendations
- Enable verbose logging for the Actions feature to capture all external service interactions and flag anomalous requests
- Set up alerts for any HTTP requests from LibreChat targeting internal network segments or metadata services
- Periodically audit agent configurations for unauthorized or suspicious OpenAPI specifications
How to Mitigate CVE-2025-69222
Immediate Actions Required
- Upgrade LibreChat to version 0.8.2-rc2 or later immediately to receive the security fix
- Review existing agent configurations and remove any that contain suspicious or unauthorized OpenAPI specifications
- Implement network segmentation to isolate the LibreChat application from sensitive internal services
- Configure firewall rules to restrict outbound connections from the LibreChat server to only necessary external endpoints
Patch Information
The vulnerability has been addressed in LibreChat version 0.8.2-rc2. The fix introduces restrictions on accessible services in the Actions feature. Users should upgrade to this version or later to remediate the vulnerability. The patch commit is available in the GitHub Commit Details, and the patched release can be downloaded from the GitHub Release v0.8.2-rc2. Additional details are available in the GitHub Security Advisory GHSA-rgjq-4q58-m3q8.
Workarounds
- Implement network-level controls to block outbound requests from the LibreChat container to internal IP ranges and cloud metadata endpoints
- Configure egress filtering to allowlist only specific external domains that agents are permitted to access
- Disable or restrict the Actions feature entirely if it is not required for your deployment
- Deploy LibreChat behind a reverse proxy with SSRF protection capabilities to validate and sanitize outbound requests
# Example Docker Compose network isolation configuration
# Create a separate network for LibreChat with restricted access to internal services
docker network create --driver bridge --internal librechat-restricted
# Run LibreChat container with restricted network and explicit egress rules
docker run -d \
--name librechat \
--network librechat-restricted \
--cap-drop=ALL \
-e ALLOWED_DOMAINS="api.openai.com,api.anthropic.com" \
librechat/librechat:v0.8.2-rc2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
