What happened
LibreChat allows users to configure custom OpenAI-compatible API endpoints by setting a baseURL. Prior to 0.8.4-rc1, this URL is passed directly to server-side HTTP requests without any SSRF validation. An authenticated attacker can point the baseURL at internal network addresses to reach cloud metadata services, internal APIs, or other restricted endpoints, with the LibreChat server acting as an unwitting proxy.
Why it matters
In cloud-deployed LibreChat instances (the common deployment pattern), SSRF via the baseURL field can expose cloud instance metadata (AWS/GCP/Azure credential endpoints), internal AI infrastructure such as vector databases and model serving APIs, and backend services not intended to be reachable from the internet. This is a privilege escalation from authenticated user to internal network access.
Attack vector
An authenticated user sets a custom OpenAI-compatible API endpoint baseURL to an internal network address (e.g., http://169.254.169.254/ or internal microservice URLs). LibreChat constructs HTTP requests to this URL server-side with no SSRF protection — no private IP check, no scheme restriction, no DNS pinning — allowing the user to probe and interact with internal services, cloud metadata endpoints, and other backend infrastructure.
Affected systems
LibreChat < 0.8.4-rc1
Mitigation
Upgrade to LibreChat 0.8.4-rc1 or later. Advisory: https://github.com/danny-avila/LibreChat/security/advisories/GHSA-gc9r-88c3-7qhq