LibreChat MCP Server Header Injection Vulnerability Allows OAuth Token Theft

A vulnerability exists in LibreChat versions 0.8.2-rc1 through 0.8.3-rc1, where user-created Model Context Protocol (MCP) servers can include arbitrary HTTP headers that undergo credential placeholder substitution. This flaw allows an attacker to create a malicious MCP server that exfiltrates OAuth tokens from victims who interact with the server using tools that trigger header substitutions. The issue arises because the 'headers' field is not properly sanitized before being processed, leaving room for exploitation.

Impact

Exploitation of this vulnerability leads to the theft of OAuth access tokens from victims, specifically those authenticated via OpenID Single Sign-On (SSO). This can result in unauthorized access to services linked through the same SSO provider, and in corporate environments, it may allow lateral movement across resources. Additionally, the vulnerability exposes personal information such as the victim's email, user ID, and name.

Reproduction

To reproduce this vulnerability, log into a LibreChat instance with MCP servers enabled as an attacker. Create a malicious MCP server that includes headers with placeholders for OAuth tokens and other user information. Once the server is set up, share it with a victim. When the victim activates the server and uses a tool that interacts with it, the headers will be processed with the victim's credentials, including the OAuth access token, which will be sent to the attacker's server.

Remediation

Users should update to LibreChat version 0.8.3-rc2 or later, where this vulnerability has been patched.