CVE-2026-31943

Name of the Vulnerable Software and Affected Versions LibreChat versions prior to 0.8.3

Description LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, the isPrivateIP() function in packages/api/src/auth/domain.ts does not correctly identify IPv4-mapped IPv6 addresses in their hex-normalized form. This allows any authenticated user to bypass Server-Side Request Forgery (SSRF) protection. Successful exploitation enables the server to make HTTP requests to internal network resources, including cloud metadata services (e.g., AWS 169.254.169.254), loopback, and RFC1918 ranges. The vulnerable function is isPrivateIP(). The affected API endpoint is not explicitly mentioned.

Recommendations Upgrade to version 0.8.3 to resolve this issue.