LibreChat MCP Stdio Remote Command Execution Vulnerability

A critical authenticated remote code execution vulnerability has been identified in LibreChat versions prior to v0.8.2-rc2. The issue arises because the MCP stdio transport allows arbitrary commands to be executed without validation. This flaw enables any authenticated user to execute shell commands as root within the container, using a single API request.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands as the root user inside the LibreChat Docker container. This could lead to unauthorized access to sensitive data, manipulation of files in mounted directories, and potential lateral movement within the internal network.

Reproduction

To reproduce this vulnerability, first register an account on a vulnerable LibreChat instance and log in to obtain a JWT token. Then, send a POST request to the '/api/mcp/servers' endpoint, including the stdio transport configuration in the request body. The specified command will be executed immediately on the server as root.

Remediation

Users should update to LibreChat version v0.8.2-rc2 or later, where this vulnerability has been patched.