Executive Summary

This vulnerability in LibreChat's MCP stdio transport allows any authenticated user to execute arbitrary shell commands as root inside the container through a single API request. The issue arises because the MCP stdio transport accepts commands without validation, enabling remote code execution with root privileges. This happens because the API allows creation of MCP servers with stdio transport that executes commands immediately upon creation. The vulnerability is fixed by restricting stdio transport configuration to administrators only and disallowing it via the API. [2, 1]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can have severe impacts including arbitrary command execution as root inside the container, potential data exfiltration such as JWT secrets, API keys, and MongoDB user data, access to the host filesystem through mounted directories, lateral movement within internal networks, supply chain attacks by injecting malicious content into served files, and credential theft by extracting secrets from environment files. This can compromise confidentiality, integrity, and availability of the system. [2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your LibreChat instance allows creation of MCP servers with stdio transport via the API. You can attempt to send a crafted HTTP POST request to the API endpoint `/api/mcp/servers` with a JSON payload specifying "type": "stdio" and arbitrary shell commands in the "command" and "args" fields. If the server accepts this request and executes the commands, it is vulnerable. For example, you can use a curl command like: `curl -X POST http://<librechat-host>/api/mcp/servers -H 'Content-Type: application/json' -d '{"type":"stdio","command":"echo","args":["vulnerable"]}'` and check if the command executes or creates output files as described in the PoC. If the server rejects the request with a 400 status code and "Invalid configuration" message, it is not vulnerable. [2, 1]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade LibreChat to version 0.8.2-rc2 or later, where the vulnerability is fixed. The fix restricts the MCP stdio transport configuration so it cannot be created via the API, only manually by administrators in the YAML configuration file. Additionally, ensure that MCP server creation permissions are not granted by default to all users, and validate that the API rejects any stdio transport configurations with a 400 status code. Avoid allowing stdio transport configurations through the API or UI to prevent arbitrary command execution. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows arbitrary command execution as root inside the container, which can lead to data exfiltration including JWT secrets, API keys, MongoDB user data, and credential theft by extracting .env secrets. Such unauthorized access and potential data breaches could violate compliance requirements of standards like GDPR and HIPAA that mandate protection of sensitive data and secure system access. Therefore, this vulnerability poses a significant risk to compliance with these regulations by compromising confidentiality, integrity, and availability of data. [2]

Useful 0 Not Useful 0