CVE-2025-69222 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918, affecting the LibreChat open-source ChatGPT clone developed by danny-avila. The vulnerability exists in versions 0.8.1-rc2 and 0.8.2-rc2 due to the default configuration of the Actions feature, which allows agents configured with predefined instructions to perform HTTP requests to remote services using OpenAPI specifications. This feature supports various HTTP methods, parameters, and authentication mechanisms, including custom headers, but lacks restrictions on which services can be accessed. Consequently, an attacker with at least limited privileges can exploit this to send crafted requests to internal services, such as the Retrieval-Augmented Generation (RAG) API included in the default Docker Compose setup. This can lead to unauthorized internal network access, data exposure, and potential partial denial of service. The vulnerability has a CVSS v3.1 score of 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L), indicating network exploitable with low attack complexity, requiring privileges but no user interaction, and causing high confidentiality impact, partial integrity, and availability impacts with scope change. The issue was publicly disclosed in early 2026 and fixed in versions beyond 0.8.2-rc2. No known exploits have been reported in the wild yet, but the nature of the vulnerability makes it a high-risk target for attackers aiming to pivot within internal networks or exfiltrate sensitive data.

For European organizations, this SSRF vulnerability poses significant risks, especially for those deploying LibreChat in environments with sensitive internal APIs or data. Exploitation could allow attackers to bypass perimeter defenses and access internal services not intended to be exposed externally, leading to data breaches, intellectual property theft, or disruption of AI services. Given the integration of LibreChat with AI workflows, compromised internal APIs could also lead to manipulation of AI outputs or leakage of proprietary training data. The vulnerability’s ability to cause partial denial of service further threatens availability of critical AI-driven communication platforms. Organizations relying on default configurations without network segmentation or strict access controls are particularly vulnerable. The risk is amplified in sectors with high AI adoption such as finance, healthcare, and research institutions prevalent in Europe. Additionally, the vulnerability could be leveraged in multi-stage attacks targeting cloud-hosted AI services or hybrid on-premises/cloud deployments common in European enterprises.

To mitigate this vulnerability, organizations should immediately upgrade LibreChat to versions later than 0.8.2-rc2 where the issue is fixed. Beyond patching, it is critical to implement strict network segmentation to isolate internal APIs like the RAG API from agents and external-facing components. Configure the Actions feature to whitelist only trusted external services and restrict HTTP methods and headers to the minimum necessary. Employ robust authentication and authorization controls on all internal APIs to prevent unauthorized access even if SSRF attempts occur. Monitor network traffic for unusual internal requests originating from LibreChat agents. Conduct regular security audits and penetration tests focusing on SSRF and internal service exposure. Additionally, consider deploying Web Application Firewalls (WAFs) with SSRF detection capabilities and enforce least privilege principles for users configuring agents. Finally, educate developers and administrators about secure configuration practices for AI platforms and the risks of SSRF.