CVE-2025-54868

High CVSS: 7.5

LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint allows reading arbitrary chats directly from the Meilisearch engine. The endpoint /api/search/test allows for direct access to stored chats in the Meilisearch engine without proper access control. This results in the ability to read chats from arbitrary users. This issue is fixed in version 0.7.7.

Vendor

Librechat

Product

Librechat

CWE

CWE-285

Yayın Tarihi

2025-08-05 05:15:37

Güncelleme

2025-08-26 13:41:36

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-285 Librechat HIGH Librechat 2025

Referanslar

https://github.com/danny-avila/LibreChat/commit/0e8041bcac616949c42a68dfb8f108ccc4db5151 https://github.com/danny-avila/LibreChat/security/advisories/GHSA-p5j8-m4wh-ffmw

Benzer Kayıtlar

High

CVE-2026-31945

LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side…

Medium

CVE-2026-31950

LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc2 through 0.8.2-rc3, the SSE streaming endpoi…

Medium

CVE-2026-31951

LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model…

High

CVE-2026-31943

LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, `isPrivateIP()` in `packages/api/src/auth…

Medium

CVE-2026-33265

In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API.

High

CVE-2025-41258

LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the se…