SBA Security Advisory – LibreChat Server-Side Request Forgery (CVE-2025-69222)

Name	SBA Research Cookie
Provider	SBA Research
Purpose	Saves the settings of the visitors selected in the cookie box.
Cookie name	sba-research-cookie
Cookie runtime	1 year

Name	YouTube
Provider	YouTube
Purpose	Used to unblock YouTube content.
Privacy policy	https://policies.google.com/privacy
Host(s)	google.com
Cookie name	NID
Cookie runtime	6 months

Name	Vimeo
Provider	Vimeo
Purpose	Used to unblock Vimeo content.
Privacy policy	https://vimeo.com/privacy
Host(s)	player.vimeo.com
Cookie name	vuid
Cookie runtime	2 years

January 8, 2026

Vulnerability Overview

LibreChat version 0.8.1-rc2 is prone to a server-side request forgery (SSRF) vulnerability due to missing restrictions of the Actions feature in the default configuration. This allows attackers to interact with arbitrary third-party HTTP services, for example the internal RAG API.

Type of Vulnerability: Server-Side Request Forgery (SSRF)
Fixed in Version: 0.8.2-rc2
CVE ID: CVE-2025-69222
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
CVSS Base Score: 9.1 (Critical)

Recommended Countermeasure

We recommend updating to LibreChat version 0.8.2-rc2 or later and set the option actions.allowedDomains to a non-empty list. Moreover, the allowed entries should explicitly specify the protocol and port.

Links

Full Security Advisory

Credits

Lisa Gnedt (SBA Research)
Michael Koppmann (SBA Research)

The discovery of this vulnerability was made possible through support from CYSSDE and the European Union.

News