Platform
docker
Component
docker
Fixed in
0.8.2
CVE-2025-69222 describes a server-side request forgery (SSRF) vulnerability affecting LibreChat, a ChatGPT clone, specifically within its Docker containerized deployment. The vulnerability stems from insufficient restrictions within the Actions feature, enabling agents to interact with remote services without proper validation. This allows attackers to potentially access internal components, such as the Retrieval-Augmented Generation (RAG) API, leading to data exfiltration and system compromise. LibreChat version 0.8.1-rc2 is affected, and a patch is expected.
The SSRF vulnerability in LibreChat allows an attacker to craft malicious agent instructions that trigger requests to arbitrary internal or external resources. Because the Actions feature lacks input validation, an attacker can bypass intended security boundaries and directly access the RAG API, potentially exposing sensitive data used for generating responses. This could include internal database credentials, API keys, or proprietary data. Furthermore, the attacker could leverage the SSRF to scan internal networks, identify other vulnerable services, and potentially pivot to other systems within the infrastructure, significantly expanding the attack surface. The lack of restrictions makes this a high-impact vulnerability, similar to scenarios where SSRF is used to access cloud metadata services.
CVE-2025-69222 was publicly disclosed on 2026-01-07. The vulnerability's severity is rated as CRITICAL (CVSS 9.1). Currently, there are no known public proof-of-concept exploits, but the ease of exploitation due to the lack of input validation suggests a high probability of exploitation. It is not currently listed on the CISA KEV catalog, but its critical nature warrants close monitoring. Active campaigns targeting LibreChat are not yet confirmed, but the SSRF vulnerability presents a significant attack vector.
Exploit Status
EPSS
0.31% (54% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-69222 is to upgrade to a patched version of LibreChat as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. Restrict network access to the LibreChat container using Docker network policies or firewall rules to limit its ability to reach internal resources. Carefully review and restrict the permissions granted to LibreChat agents, minimizing their access to sensitive APIs and data. Implement a Web Application Firewall (WAF) with SSRF protection rules to filter outbound requests and block malicious patterns. Monitor LibreChat logs for unusual outbound requests that could indicate exploitation attempts.
Update LibreChat to version 0.8.2-rc2 or higher. This version fixes the SSRF vulnerability by implementing restrictions on the Actions feature. Ensure you review the release notes and follow the upgrade instructions provided by the vendor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-69222 is a critical SSRF vulnerability in LibreChat Docker containers (version 0.8.1-rc2) where the Actions feature lacks restrictions, allowing unauthorized access to internal APIs like the RAG API.
If you are running LibreChat in a Docker container, specifically version 0.8.1-rc2, you are potentially affected by this SSRF vulnerability. Assess your environment and implement mitigations immediately.
The recommended fix is to upgrade to a patched version of LibreChat as soon as it becomes available. Until then, implement temporary workarounds like network restrictions and WAF rules.
While there are no confirmed reports of active exploitation at this time, the vulnerability's ease of exploitation suggests a high probability of future attacks. Continuous monitoring is crucial.
Refer to the official LibreChat security advisories and release notes on their website or GitHub repository for updates and information regarding the patch for CVE-2025-69222.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Dockerfile file and we'll tell you instantly if you're affected.