CVE-2025-66201

Name of the Vulnerable Software and Affected Versions LibreChat versions prior to 0.8.1-rc2

Description LibreChat, a ChatGPT clone with additional features, contains a Server-side Request Forgery (SSRF) issue in its "Actions" feature. An authenticated user with access to this feature can exploit this by submitting specially crafted OpenAPI specifications, causing the Large Language Model (LLM) to utilize these actions. This allows access to URLs accessible only to the LibreChat server, potentially including cloud metadata services, which could lead to server impersonation.

Recommendations Update LibreChat to version 0.8.1-rc2 or later.