LibreChat Improper Access Control Vulnerability Allowing Authorization Bypass

A vulnerability in LibreChat's access control mechanism allows users with the 'USER' role to bypass authorization and create agents, despite lacking the necessary permission. This issue arises from the 'checkAccess' function, which incorrectly uses 'permissions.some()' to validate required permissions. As a result, access is granted if at least one of multiple required permissions is present. The vulnerability affects all versions prior to the fix.

Impact

Exploitation of this vulnerability allows for unauthorized creation of agents by users who should not have the permission to do so.

Reproduction

To reproduce this vulnerability, assign the 'USER' role with permissions that include 'AGENTS' permission 'USE' set to true and 'CREATE' set to false'. Then, make a POST request to the '/api/Agents' endpoint. The request will be processed successfully, and an agent will be created, despite the 'CREATE' permission being disabled.

Remediation

Users can update to LibreChat version 0.7.9 or later, where this vulnerability has been fixed.