Cyber Resilience

CVE-2025-69222

CriticalPublic PoC

Published: 07 January 2026

Published
07 January 2026
Modified
15 January 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
EPSS Score 0.0409 89.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-69222 is a critical-severity SSRF (CWE-918) vulnerability in Librechat Librechat. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2025-69222 is a server-side request forgery (SSRF) vulnerability (CWE-918) affecting LibreChat version 0.8.1-rc2, an open-source ChatGPT clone with additional features. The issue stems from missing restrictions on the Actions feature in the default configuration, which allows users to configure agents with predefined instructions and actions that interact with remote services via OpenAPI specifications. These actions support various HTTP methods, parameters, and authentication methods, including custom headers, but lack default limitations on accessible services, enabling access to internal components such as the RAG API in the default Docker Compose setup. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L).

An authenticated user with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By configuring an agent to issue requests via the unrestricted Actions feature, the attacker can forge server-side requests to arbitrary internal or external services, achieving high-impact confidentiality breaches (C:H) such as reading sensitive data from internal APIs, alongside low-impact integrity (I:L) and availability (I:L) effects. The changed scope (S:C) amplifies the potential for lateral movement within the environment.

Mitigation is addressed in the official GitHub security advisory (GHSA-rgjq-4q58-m3q8), with the issue fixed via commit 3b41e392ba5c0d603c1737d8582875e04eaa6e02 and in release v0.8.2-rc2. Administrators should upgrade to the patched version and review agent configurations to impose restrictions on allowable endpoints.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 is prone to a server-side request forgery (SSRF) vulnerability due to missing restrictions of the Actions feature in the default configuration. LibreChat enables users to configure agents with predefined instructions…

more

and actions that can interact with remote services via OpenAPI specifications, supporting various HTTP methods, parameters, and authentication methods including custom headers. By default, there are no restrictions on accessible services, which means agents can also access internal components like the RAG API included in the default Docker Compose setup. This issue is fixed in version 0.8.1-rc2.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: chatgpt, librechat

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF vulnerability (CWE-918) in public-facing LibreChat web application enables exploitation for unauthorized access to internal services and sensitive data, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31945Same product: Librechat Librechat
CVE-2026-31943Same product: Librechat Librechat
CVE-2025-69220Same product: Librechat Librechat
CVE-2025-41258Same product: Librechat Librechat
CVE-2026-22252Same product: Librechat Librechat
CVE-2024-10361Same product: Librechat Librechat
CVE-2026-4276Same product: Librechat Librechat
CVE-2026-31944Same product: Librechat Librechat
CVE-2026-31942Same product: Librechat Librechat
CVE-2026-33265Same product: Librechat Librechat

Affected Assets

librechat
librechat
0.8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates inputs such as URLs, endpoints, and OpenAPI specifications in the Actions feature to prevent server-side requests to unauthorized internal or external services.

prevent

Monitors and controls communications at system boundaries to block SSRF attempts from reaching internal components like the RAG API.

prevent

Enforces information flow control rules to restrict agent actions from forging requests to disallowed services in line with access policies.

References