CVE-2025-54868
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint allows reading arbitrary chats directly from the Meilisearch engine. The endpoint /api/search/test allows for direct access to stored chats in the Meilisearch engine without proper access control. This results in the ability to read chats from arbitrary users. This issue is fixed in version 0.7.7.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| danny-avila | LibreChat | >= 0.0.6, < 0.7.7 | affected |
Weaknesses
- CWE-285: CWE-285: Improper Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/danny-avila/LibreChat/security/advisories/GHSA-p5j8-m4wh-ffmw
- https://github.com/danny-avila/LibreChat/commit/0e8041bcac616949c42a68dfb8f108ccc4db5151
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.