LibreChat Stream Subscription Vulnerability Allows Unauthorized Access to Real-Time Chats

A vulnerability in LibreChat versions 0.8.2-rc2 through 0.8.2-rc3 allows any authenticated user to access another user's real-time chat content through the SSE streaming endpoint '/api/agents/chat/stream/:streamId'. The endpoint fails to verify stream ownership, enabling users to read messages, AI responses, and tool invocations from chats they do not own. This issue has been patched in version 0.8.2.

Impact

Exploitation of this vulnerability leads to a breach of confidentiality, allowing unauthorized users to read private conversations in real-time, including sensitive information such as API keys, passwords, and personal identifiable information. Additionally, attackers can see what tools or functions are executed by agents on behalf of users, all without the victim's knowledge.

Reproduction

To reproduce this vulnerability, an authenticated user must obtain a valid stream ID from a conversation initiated by another user. This can be done by sharing URLs, leaking IDs through error messages, or via browser history. Once the stream ID is acquired, the attacker can subscribe to the stream using the '/api/agents/chat/stream/:streamId' endpoint, effectively intercepting the victim's chat content in real-time.

Remediation

Users should update to LibreChat version 0.8.2 or later, where this vulnerability has been patched.