CVE-2025-69222

CVE-2025-69222 is a server-side request forgery (SSRF) vulnerability (CWE-918) affecting LibreChat version 0.8.1-rc2, an open-source ChatGPT clone with additional features. The issue stems from missing restrictions on the Actions feature in the default configuration, which allows users to configure agents with predefined instructions and actions that interact with remote services via OpenAPI specifications. These actions support various HTTP methods, parameters, and authentication methods, including custom headers, but lack default limitations on accessible services, enabling access to internal components such as the RAG API in the default Docker Compose setup. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L).

An authenticated user with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By configuring an agent to issue requests via the unrestricted Actions feature, the attacker can forge server-side requests to arbitrary internal or external services, achieving high-impact confidentiality breaches (C:H) such as reading sensitive data from internal APIs, alongside low-impact integrity (I:L) and availability (I:L) effects. The changed scope (S:C) amplifies the potential for lateral movement within the environment.

Mitigation is addressed in the official GitHub security advisory (GHSA-rgjq-4q58-m3q8), with the issue fixed via commit 3b41e392ba5c0d603c1737d8582875e04eaa6e02 and in release v0.8.2-rc2. Administrators should upgrade to the patched version and review agent configurations to impose restrictions on allowable endpoints.