Detection Guidance

This vulnerability involves the LibreChat MCP OAuth implementation not validating the resource parameter against the configured MCP server URL, which can be exploited by a malicious MCP server to steal access tokens.

To detect this vulnerability on your system, you should verify the version of LibreChat in use and check if it is prior to version 0.8.5, as the issue is fixed starting from 0.8.5.

Additionally, monitoring OAuth authorization URLs for the presence of a resource parameter that does not match the configured MCP server URL can help identify potential exploitation attempts.

Suggested commands to assist in detection include:

• Check LibreChat version: `librechat --version` or inspect the installed package version.
• Capture and inspect OAuth authorization URLs in network traffic using tools like `tcpdump` or `Wireshark` to look for mismatched resource parameters.
• Example tcpdump command to capture traffic on port 443 (HTTPS): `sudo tcpdump -i any -A port 443 | grep resource=`
• Review application logs for OAuth authorization requests and verify that the resource parameter matches the configured MCP server URL.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a malicious MCP server to steal access tokens intended for a legitimate server, enabling full impersonation of victims and unauthorized access to their resources.

Such unauthorized access and potential data exposure can lead to violations of confidentiality and integrity requirements mandated by common standards and regulations like GDPR and HIPAA.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to improper protection of sensitive data and failure to ensure secure authorization mechanisms.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in LibreChat versions prior to 0.8.5, where the MCP OAuth implementation does not properly validate that the resource parameter from OAuth Protected Resource metadata matches the configured MCP server URL.

Because of this lack of validation, a malicious MCP server can trick the system into sending access tokens intended for a legitimate server to itself, effectively stealing those tokens.

This issue was fixed in version 0.8.5 of LibreChat.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows a malicious MCP server to steal access tokens that are meant for a legitimate server.

With stolen access tokens, an attacker could potentially gain unauthorized access to protected resources or user data, leading to confidentiality and integrity breaches.

The CVSS score of 8.0 indicates a high severity impact, with high confidentiality and integrity impact but no impact on availability.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade LibreChat to version 0.8.5 or later, where the issue has been fixed.

Useful 0 Not Useful 0