CVE-2025-69220

Опубликовано: 07 янв. 2026

Источник: nvd

CVSS3: 7.1

CVSS3: 5.9

EPSS Низкий

Описание

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior of arbitrary agents by uploading new files to the file context or file search, even if they have no permissions for this agent. This issue is fixed in version 0.8.2-rc2.

Ссылки

https://cwe.mitre.org/data/definitions/284.html
Not Applicable
https://cwe.mitre.org/data/definitions/862.html
Not Applicable
https://github.com/danny-avila/LibreChat/commit/4b9c6ab1cb9de626736de700c7981f38be08d237
Patch
https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2
Release Notes
https://github.com/danny-avila/LibreChat/security/advisories/GHSA-xcmf-rpmh-hg59
Exploit
Vendor Advisory
https://owasp.org/Top10/A01_2021-Broken_Access_Control
Not Applicable
https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html
Technical Description
https://raw.githubusercontent.com/OWASP/ASVS/v5.0.0/5.0/OWASP_Application_Security_Verification_Standard_5.0.0_en.pdf
Technical Description

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:librechat:librechat:0.8.1:-:*:*:*:*:*:*

cpe:2.3:a:librechat:librechat:0.8.1:rc1:*:*:*:*:*:*

EPSS

Процентиль: 8%

0.00029

Низкий

7.1 High

CVSS3

5.9 Medium

CVSS3

Дефекты

CWE-284

CWE-862

EPSS

Процентиль: 8%

0.00029

Низкий

7.1 High

CVSS3

5.9 Medium

CVSS3

Дефекты

CWE-284

CWE-862