CVE-2025-66201 identifies a critical SSRF vulnerability in the LibreChat application, a ChatGPT clone that supports user-defined 'Actions' via OpenAPI specifications. Prior to version 0.8.1-rc2, LibreChat does not properly validate or sanitize the OpenAPI specs submitted by authenticated users with access to the 'Actions' feature. This improper input validation (CWE-20) allows attackers to craft malicious API definitions that cause the server to perform unauthorized HTTP requests to internal or protected endpoints. Notably, this includes cloud provider metadata services (e.g., AWS EC2 metadata, Azure Instance Metadata Service), which often contain sensitive credentials or tokens. By leveraging this SSRF (CWE-918), an attacker can potentially retrieve these secrets, enabling server impersonation or lateral movement within the network. The vulnerability requires the attacker to be authenticated and have access to the 'Actions' feature but does not require additional user interaction or elevated privileges. The flaw was publicly disclosed and assigned CVE-2025-66201 with a CVSS 4.0 score of 8.6, reflecting its high impact on confidentiality and integrity with low attack complexity. The vendor patched the issue in version 0.8.1-rc2 by implementing proper input validation and request filtering to prevent SSRF exploitation. No known exploits are currently reported in the wild.

For European organizations deploying LibreChat, especially in cloud environments, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to internal services and cloud metadata endpoints, potentially exposing sensitive credentials and enabling attacker impersonation of the server. This could result in data breaches, unauthorized access to internal resources, and lateral movement within corporate networks. Organizations using LibreChat in multi-tenant or production environments face increased risk of compromise. The impact is heightened for entities relying on cloud infrastructure providers common in Europe, such as AWS Europe regions, Microsoft Azure Europe, or Google Cloud Europe, where metadata services are critical for instance identity and security. Additionally, organizations in sectors with strict data protection regulations (e.g., GDPR) may face compliance and reputational damage if such an incident occurs. The requirement for authenticated access limits exposure but does not eliminate risk, especially if user accounts are compromised or insufficiently restricted.

1. Upgrade LibreChat to version 0.8.1-rc2 or later immediately to apply the official patch addressing this SSRF vulnerability. 2. Restrict access to the 'Actions' feature strictly to trusted and minimal users, implementing role-based access controls (RBAC) to limit potential attackers. 3. Implement network-level controls such as firewall rules or egress filtering on LibreChat servers to block unauthorized outbound requests to internal IP ranges and cloud metadata service IPs. 4. Monitor logs for unusual outbound requests originating from LibreChat, especially to internal or cloud metadata endpoints. 5. Conduct regular audits of user privileges and authentication mechanisms to prevent unauthorized access to the vulnerable feature. 6. Consider deploying Web Application Firewalls (WAFs) with SSRF detection capabilities to detect and block malicious requests. 7. Educate administrators and users about the risks of SSRF and the importance of secure API specification handling. 8. If upgrading immediately is not feasible, disable or restrict the 'Actions' feature temporarily to mitigate risk.