LibreChat Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in LibreChat version 0.8.1-rc2. This vulnerability arises from the default configuration, which lacks restrictions on the Actions feature. LibreChat allows users to create agents that can interact with remote services via OpenAPI specifications, including access to internal components like the RAG API in the default Docker Compose setup. The vulnerability enables authenticated users to manipulate internal services or external APIs, potentially leading to unauthorized access or data manipulation.

Impact

Exploitation of this vulnerability allows authenticated users to interact with arbitrary HTTP services, including internal APIs not meant for public access, such as the RAG API. This could lead to unauthorized access to sensitive information, manipulation of internal data, or exploitation of other services, depending on the specific environment.

Reproduction

To reproduce this vulnerability, create an agent in LibreChat version 0.8.1-rc2 without any domain restrictions. Once the agent is active, access the internal RAG API by sending a request through the agent's actions, exploiting the SSRF vulnerability to interact with the API as if the request originated from the server.

Remediation

Users are advised to update to LibreChat version 0.8.2-rc2 or later and to configure the 'actions.allowedDomains' setting to explicitly allow only trusted domains, specifying protocols and ports as needed.