Compliance Impact

This vulnerability enables attackers to exfiltrate OAuth tokens and sensitive user information such as email and user ID by injecting malicious headers into MCP server configurations. The unauthorized disclosure of such personal and authentication data can lead to privacy breaches and identity theft.

Such exposure of sensitive personal data could result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on the confidentiality and security of personal and authentication information.

Specifically, the theft of OAuth tokens and user identity information may violate principles of data minimization, confidentiality, and integrity mandated by these standards, potentially leading to regulatory penalties and loss of user trust.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to theft of OAuth tokens from victims who use OpenID Single Sign-On (SSO) with LibreChat.

• Attackers can obtain victims' SSO access tokens.
• This can result in account takeover and identity theft.
• Attackers may move laterally within corporate resources authorized by the same SSO provider.
• All users on LibreChat instances with MCP servers enabled are affected, but OAuth token theft specifically impacts OpenID SSO authenticated users.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in LibreChat versions 0.8.2-rc1 through 0.8.3-rc1 and involves the Model Context Protocol (MCP) servers created by users. These MCP servers can include arbitrary HTTP headers that undergo credential placeholder substitution without proper filtering.

An attacker can create a malicious MCP server with headers containing placeholders like {{LIBRECHAT_OPENID_ACCESS_TOKEN}}. When a victim uses this malicious MCP server, the system substitutes these placeholders with the victim's actual OAuth tokens and user information, which are then sent to the attacker's server.

This leads to exfiltration of sensitive OAuth tokens and identity information from the victim.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves malicious MCP servers injecting HTTP headers with credential placeholders that get substituted with victim credentials during tool calls. Detection can focus on identifying unusual or suspicious HTTP headers sent to external MCP servers, especially those containing OAuth tokens or user identifiers.

• Monitor outgoing HTTP requests from LibreChat clients or servers for headers containing sensitive tokens or placeholders such as `{{LIBRECHAT_OPENID_ACCESS_TOKEN}}`, `{{LIBRECHAT_USER_EMAIL}}`, or `{{LIBRECHAT_USER_ID}}`.
• Use network packet capture tools like `tcpdump` or `Wireshark` to filter HTTP traffic and inspect headers for unexpected or suspicious content.
• Example command to capture HTTP traffic on port 80 or 443 (if unencrypted) and filter for suspicious headers: `tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'Authorization\|LibreChat'`
• Check LibreChat MCP server configurations for user-created servers that include arbitrary or suspicious HTTP headers.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade LibreChat to version 0.8.3-rc2 or later, where the vulnerability is fixed by properly filtering the `headers` field in MCP server configurations to prevent credential placeholder substitution.

• Immediately update LibreChat instances to version 0.8.3-rc2 or newer.
• Disable or restrict usage of user-created MCP servers until the update is applied.
• Audit and remove any suspicious MCP servers that may have been added by attackers.
• Inform users about the risk of enabling untrusted MCP servers, especially if they use OpenID SSO.

Useful 0 Not Useful 0