LibreChat Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in LibreChat versions 0.8.2-rc2 through 0.8.2. This vulnerability arises when using agent actions or the MCP feature. The issue allows attackers to bypass hostname validation and access internal resources, such as private APIs or cloud instance metadata endpoints. The vulnerability exists because the application does not verify whether DNS resolutions lead to private IP addresses, leaving internal services exposed.

Impact

Exploitation of this vulnerability allows access to internal resources, including cloud instance metadata, which can be used to retrieve or abuse sensitive credentials. In a demonstrated proof of concept, this vulnerability was exploited to access an AWS EC2 instance's metadata, bypassing security measures and potentially leading to more severe attacks.

Reproduction

To reproduce this vulnerability, deploy LibreChat on an AWS EC2 instance and create an agent action that specifies a server URL resolving to a private IP address, such as through a wildcard DNS service. Once the request is sent, the internal metadata can be accessed using the obtained token, demonstrating the SSRF exploitation.

Remediation

Users can update to LibreChat version 0.8.3-rc1, which includes a patch for this vulnerability. However, additional measures are recommended to validate DNS resolutions and prevent Time-of-Check to Time-of-Use attacks.