Logicx24

**Name of the Vulnerable Software and Affected Versions** LibreChat versions 0.8.2-rc2 through 0.8.2-rc3 **Description** LibreChat, a ChatGPT clone, has an issue where the SSE streaming endpoint `/api/agents/chat/stream/:streamId` does not confirm that the user making the request is authorized to access the stream. This allows any authenticated user who has a valid stream ID—whether obtained legitimately or through guessing—to view another user’s real-time chat content, including messages, AI responses, and tool invocations. The `streamId` variable is a key component in this issue. **Recommendations** Versions prior to 0.8.2 should be updated to version 0.8.2 or later.

**Name of the Vulnerable Software and Affected Versions** LibreChat versions 0.8.2-rc1 through 0.8.3-rc1 **Description** LibreChat, a ChatGPT clone, has an issue where user-created Model Context Protocol (MCP) servers can include arbitrary HTTP headers. These headers are subject to credential placeholder substitution. An attacker can create a malicious MCP server with headers containing `{{LIBRECHAT OPENID ACCESS TOKEN}}` and other placeholders. When victims call tools on this server, their OAuth tokens can be exfiltrated. The API endpoint is susceptible through the use of malicious MCP servers. The vulnerable parameter is the HTTP header content within the MCP server configuration. **Recommendations** Update to version 0.8.3-rc2 or later.

**Name of the Vulnerable Software and Affected Versions** Gradio versions prior to 6.6.0 **Description** Gradio is a Python package for rapid prototyping. A flaw exists in the OAuth flow where the ` redirect to target()` function does not properly validate the `target url` query parameter. This allows redirection to arbitrary external URLs via the `/logout` and `/login/callback` API endpoints when OAuth is enabled. **Recommendations** Update to version 6.6.0 or later.

**Name of the Vulnerable Software and Affected Versions** Gradio versions prior to 6.6.0 **Description** Gradio is a Python package for rapid prototyping. A Server-Side Request Forgery (SSRF) condition exists in Gradio that allows an attacker to initiate arbitrary HTTP requests from a victim’s server. This is possible by hosting a malicious Gradio Space and leveraging the `gr.load()` function to load attacker-controlled content. The malicious `proxy url` from the configuration is then trusted and added to an allowlist, potentially granting access to internal services, cloud metadata endpoints, and private networks via the victim's infrastructure. **Recommendations** Update to version 6.6.0 or later.

**Name of the Vulnerable Software and Affected Versions** BentoML versions prior to 1.4.34 **Description** BentoML contains a path traversal flaw in the `bentofile.yaml` configuration. An attacker can craft a malicious `bentofile.yaml` that, when processed by BentoML, allows the exfiltration of arbitrary files from the filesystem into the bento archive. This can lead to supply chain attacks where sensitive information like SSH keys, credentials, and environment variables are silently included in bentos and potentially exposed when pushed to registries or deployed. The vulnerability stems from insufficient validation of user-provided file paths in multiple fields: `description`, `docker.setup script`, `docker.dockerfile template`, and `conda.environment yml`. The vulnerable function `resolve user filepath` in `src/bentoml/ internal/utils/filesystem.py` does not check for path containment, and the code in `src/bentoml/ internal/bento/bento.py` copies files without proper validation. Multiple path formats are supported, including absolute paths, tilde expansion, environment variable expansion, and relative traversal, simplifying exploitation. The `/proc/self/environ` vector is particularly dangerous in CI/CD pipelines where secrets are commonly passed as environment variables. **Recommendations** Update to BentoML version 1.4.34 or later.