CVE-2025-66201 is a critical vulnerability identified in the LibreChat application, a ChatGPT clone developed by danny-avila. The flaw is rooted in improper input validation (CWE-20) within the 'Actions' feature, which accepts OpenAPI specifications to extend the language model's capabilities. Prior to version 0.8.1-rc2, an authenticated user could submit specially crafted OpenAPI specs that trigger Server-Side Request Forgery (SSRF), causing the LibreChat server to make arbitrary HTTP requests to internal or protected network resources. This includes sensitive endpoints such as cloud metadata services, which often contain credentials or tokens that could be leveraged to impersonate the server or escalate privileges. The vulnerability does not require user interaction beyond authentication and can be exploited remotely with low complexity. The CVSS 4.0 score of 8.6 reflects high impact on confidentiality and integrity, with no impact on availability. Although no public exploits have been observed, the potential for lateral movement and data exfiltration is significant. The issue was addressed in LibreChat version 0.8.1-rc2 by implementing stricter input validation and request filtering to prevent SSRF attacks.

For European organizations deploying LibreChat versions earlier than 0.8.1-rc2, this vulnerability poses a substantial risk. Exploitation could allow attackers with authenticated access to bypass network segmentation and access internal services, including cloud metadata endpoints that may contain sensitive credentials. This can lead to unauthorized access to cloud infrastructure, data breaches, and potential lateral movement within corporate networks. Given the increasing adoption of cloud services and AI chat platforms in Europe, the impact extends to confidentiality and integrity of critical data and systems. Organizations in regulated sectors such as finance, healthcare, and government are particularly at risk due to the sensitivity of their data and compliance requirements. The vulnerability's exploitation could also undermine trust in AI tools and disrupt operational workflows that rely on LibreChat integrations.

European organizations should immediately upgrade LibreChat installations to version 0.8.1-rc2 or later to apply the official patch. Until upgrades are completed, restrict access to the 'Actions' feature to only highly trusted users and monitor usage logs for unusual OpenAPI specification submissions. Implement network-level controls to block outbound HTTP requests from the LibreChat server to internal metadata service IP ranges and other sensitive endpoints. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SSRF patterns in API requests. Conduct regular audits of user privileges to ensure only necessary users have access to features that can trigger SSRF. Additionally, review cloud environment configurations to limit metadata service exposure and enforce the principle of least privilege on cloud credentials. Finally, integrate anomaly detection systems to identify unusual request patterns originating from LibreChat servers.