LibreChat Server-Side Request Forgery Vulnerability via IPv4-Mapped IPv6 Address Bypass

A server-side request forgery (SSRF) vulnerability has been identified in LibreChat versions prior to 0.8.3. The issue arises in the 'isPrivateIP()' function, which fails to properly detect IPv4-mapped IPv6 addresses in their hex-normalized form. This oversight allows authenticated users to bypass SSRF protections and make the server send HTTP requests to internal network resources, including cloud metadata services, loopback addresses, and private IP ranges. The vulnerability is rooted in a normalization mismatch between the SSRF validation process and the Node.js URL parser, which silently converts IPv4-mapped IPv6 addresses to hex notation, evading proper validation. As a result, private addresses are incorrectly treated as public, enabling potential access to sensitive internal resources.

Impact

Exploitation of this vulnerability allows authenticated users to bypass SSRF protections and make the server issue HTTP requests to internal network resources. This includes access to cloud metadata services, such as AWS metadata endpoints, which can leak sensitive information like IAM credentials and instance tokens. The vulnerability also allows access to internal services, databases, and APIs not exposed to the internet, as well as loopback addresses, enabling interaction with services running on the server itself. The impact is particularly severe in cloud environments, where metadata endpoints are unauthenticated and can lead to full cloud account compromise.

Reproduction

To reproduce this vulnerability, an authenticated user with permission to create or execute agent actions can send a request to the LibreChat server's action creation endpoint. The request must include a private IPv4-mapped IPv6 address, such as 'http://[::ffff:169.254.169.254]/', in the 'domain' metadata field. Once the action is created, it can be triggered, causing the server to make an HTTP request to the specified internal address, bypassing the SSRF protections.

Remediation

Users are advised to update to LibreChat version 0.8.3 or later, where this vulnerability has been fixed.