Executive Summary

This vulnerability exists in LibreChat versions up to and including 0.8.3. The issue is in the Model Context Protocol (MCP) server integration, which resolves ${VAR} placeholders against the server's environment variables during validation of user-supplied MCP server URLs. An authenticated user can create a malicious MCP server configuration with a URL that references environment variables and points to an attacker-controlled domain. When the LibreChat server connects to this malicious URL, it inadvertently sends critical secrets such as CREDS_KEY, CREDS_IV, JWT_SECRET, and MONGO_URI in the request URL.

This allows an attacker to fully compromise the installation's cryptographic materials and database credentials without needing administrative privileges. The vulnerability is fixed in version 0.8.4-rc1.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to obtain critical secrets such as cryptographic keys and database credentials from the LibreChat server.

• Full compromise of cryptographic materials (CREDS_KEY, CREDS_IV, JWT_SECRET).
• Exposure of database credentials (MONGO_URI), potentially leading to unauthorized database access.
• The attacker does not need administrative privileges to exploit this vulnerability.
• Potential unauthorized access to sensitive data and disruption of service integrity.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade LibreChat to version 0.8.4-rc1 or later, where the issue has been patched.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an authenticated user to exfiltrate critical secrets such as cryptographic keys and database credentials from the LibreChat server. Such unauthorized disclosure of sensitive information can lead to a full compromise of the system's confidentiality and integrity.

The exposure of sensitive data like JWT secrets and database URIs may result in violations of data protection regulations such as GDPR and HIPAA, which require strict controls over access to and protection of personal and sensitive information.

Therefore, this vulnerability could negatively impact compliance with these standards by enabling unauthorized access and potential data breaches.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusual outbound HTTP requests from the LibreChat server to external domains, especially those containing environment variable values in the URL query parameters.

Specifically, look for HTTP requests initiated by the LibreChat process to attacker-controlled domains with URLs containing sensitive environment variable data such as CREDS_KEY, CREDS_IV, JWT_SECRET, or MONGO_URI.

To detect exploitation attempts, you can capture and analyze network traffic or logs for suspicious POST requests to the /api/mcp/servers endpoint that include MCP server URLs with ${VAR} placeholders.

• Use network monitoring tools like tcpdump or Wireshark to capture outbound HTTP requests from the LibreChat server.
• Example tcpdump command to capture HTTP traffic: sudo tcpdump -i <interface> -A 'tcp port 80 or tcp port 443 and src host <LibreChat-server-IP>'
• Search web server or application logs for POST requests to /api/mcp/servers containing URLs with ${VAR} patterns or suspicious domains.
• Use grep or similar tools to find suspicious payloads, e.g.: grep -r '\${' /path/to/librechat/logs

Because the vulnerability involves environment variable substitution in URLs, detecting any MCP server URL containing ${VAR} placeholders or unexpected external domains in logs or network traffic is a strong indicator of exploitation.

Useful 0 Not Useful 0