top of page
perceptive_background_267k.jpg

LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, `isPrivateIP()` in `packages/api/src/auth/domain.ts` fails to detect IPv4-mapped …

Published:

26 March 2026 at 23:00:00

Alert date:

27 March 2026 at 21:04:38

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Cloud & Virtualization

LibreChat, a ChatGPT clone with additional features, contains a Server-Side Request Forgery (SSRF) vulnerability prior to version 0.8.3. The vulnerability exists in the isPrivateIP() function in packages/api/src/auth/domain.ts, which fails to properly detect IPv4-mapped IPv6 addresses in hex-normalized form. This allows authenticated users to bypass SSRF protection and make HTTP requests to internal network resources, including AWS cloud metadata services (169.254.169.254), loopback addresses, and RFC1918 private IP ranges. The issue has been resolved in version 0.8.3.

Technical details

Mitigation steps:

Affected products:

LibreChat

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-31943
https://github.com/danny-avila/LibreChat/security/advisories/GHSA-w5r7-4f94-vp4c

Related CVE's:

Related threat actors:

IOC's:

169.254.169.254

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page