Overview
CVE-2025-66201 details a Server-Side Request Forgery (SSRF) vulnerability found in LibreChat, an open-source ChatGPT clone with extended functionalities. This flaw, present in versions prior to 0.8.1-rc2, allows an authenticated user with access to the “Actions” feature to potentially access internal resources and sensitive information by crafting malicious OpenAPI specifications. By exploiting this vulnerability, an attacker could make the LibreChat server initiate requests to arbitrary URLs, including those only accessible within the internal network, such as cloud metadata services.
Technical Details
The vulnerability lies in how LibreChat handles user-provided OpenAPI specifications within its “Actions” feature. An attacker can craft a malicious OpenAPI spec that, when processed by the LLM, triggers the server to make requests to URLs specified within the spec. This effectively allows the attacker to bypass network restrictions and access resources that are not directly exposed to the internet. The core issue stems from insufficient validation and sanitization of the URLs provided within the OpenAPI specs, leading to the SSRF.
Specifically, by defining actions with endpoints pointing to internal resources (e.g., `http://169.254.169.254/latest/meta-data/`), an attacker can force the LibreChat server to leak sensitive information, potentially including cloud credentials or internal service configurations.
CVSS Analysis
Currently, a CVSS score for CVE-2025-66201 is not available (N/A). The severity is also marked as N/A. However, based on the nature of the SSRF vulnerability, a moderate to high severity rating is likely. This is because successful exploitation could lead to information disclosure, internal network reconnaissance, and potentially, even server impersonation.
A potential CVSS score would need to consider the scope change if cloud metadata can be accessed, as impersonation can lead to privilege escalation. This would impact the CVSS score towards the higher range.
Possible Impact
The successful exploitation of CVE-2025-66201 can have serious consequences:
- Information Disclosure: Attackers could access sensitive data from internal services, including configuration files, databases, and API keys.
- Internal Network Reconnaissance: By probing internal URLs, attackers can map out the internal network architecture, identifying valuable targets for further attacks.
- Server Impersonation: Accessing cloud metadata services (e.g., AWS, Azure, GCP) could allow an attacker to obtain temporary credentials and impersonate the LibreChat server, potentially leading to further compromise of the cloud environment.
Mitigation and Patch Steps
The vulnerability has been patched in LibreChat version 0.8.1-rc2. It is highly recommended to upgrade to this version or later to mitigate the risk.
Additional mitigation steps include:
- Input Validation: Implement robust input validation and sanitization for all URLs provided in OpenAPI specifications. Specifically, whitelist allowed URL schemes (e.g., `https`) and domains.
- Network Segmentation: Restrict network access for the LibreChat server, limiting its ability to connect to internal services unnecessarily.
- Regular Security Audits: Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
