LibreChat Mass Assignment Vulnerability in Preset Creation Allows User ID Manipulation

A mass assignment vulnerability has been identified in LibreChat version 0.7.5-rc2, specifically within the preset creation feature. This issue allows users to manipulate the user ID field by injecting a different user ID into the preset object. As a result, the preset may erroneously appear in the user interface of another user. The vulnerability stems from the backend processing that saves the entire object received without proper validation of the attributes and their values, thereby compromising the integrity and confidentiality of the application.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of preset visibility between users, where a preset created by one user can be made to appear in the interface of another user without proper authorization.

Reproduction

To reproduce this vulnerability, log in as a user and create a preset by filling out the 'Custom name' and 'Instructions' fields. After initiating the save process, intercept the request to the presets API. Inject a valid user ID from a different user into the request body, then send the modified request. The injected user ID will be saved, and the preset will appear in the UI of the user whose ID was injected.

Remediation

Users can update to LibreChat version 0.7.5 or later, where this vulnerability has been fixed.