LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, `isPrivateIP()` in `packages/api/src/auth/domain.ts` fails to detect IPv4-mapped …

LibreChat, a ChatGPT clone with additional features, contains a Server-Side Request Forgery (SSRF) vulnerability prior to version 0.8.3. The vulnerability exists in the isPrivateIP() function in packages/api/src/auth/domain.ts, which fails to properly detect IPv4-mapped IPv6 addresses in hex-normalized form. This allows authenticated users to bypass SSRF protection and make HTTP requests to internal network resources, including AWS cloud metadata services (169.254.169.254), loopback addresses, and RFC1918 private IP ranges. The issue has been resolved in version 0.8.3.