github analyzed 8154a31

danny-avila/LibreChat

Enhanced ChatGPT Clone: Features Agents, MCP, Skills, DeepSeek, Anthropic, AWS, OpenAI, Responses API, Azure, Groq, o1, GPT-5, Mistral, OpenRouter, Vertex AI, Gemini, Artifacts, AI model switching, message search, Code Interpreter, langchain, DALL-E-3, OpenAPI Actions, Functions, Secure Multi-User Auth, Presets, open-source for self-hosting. Active

maintainer: danny-avila
license: MIT
first seen: 2026-05-22
last seen: 2026-06-14
releases · 30d: 1
short id

risk97/100 · heuristic grade

E critical

vulnerabilitiesattested+50
capability exposureinferred+35
recent driftinferred+20
trust mitigatorsmixed−8

attestedinferredmixed

The A–E grade is our heuristic synthesis — a "review this" prompt, not a verdict. Each factor is tagged by what backs it: attested (a verifiable record), reported (a third party's claim), or inferred (our own heuristic, e.g. permissions). See methodology.

graded 11m ago · see ecosystem CVEs →

risk trajectory1 movements

23h agoE · 100 → E · 97

capability exposuregrade factor +35

Inferred surface — each links to servers holding it:

vulnerabilities20 CVEs · grade factor +50

CRITICAL

Server Secrets Exfiltration via MCP Server URL Injection EPSS 0% CVE-2026-32625 affects ["<= 0.8.3"]

CRITICAL

LibreChat MCP Stdio Remote Command Execution EPSS 0% CVE-2026-22252 affects ["0.8.2-rc1"]

CRITICAL

LibreChat Server-Side Request Forgery EPSS 0% CVE-2025-69222 affects ["0.8.1-rc2"]

HIGH

Missing Resource Parameter Validation in MCP OAuth Flow EPSS 0% CVE-2026-54030 affects ["<= v0.8.5-rc1"]

HIGH

SSRF via User-Provided Custom Endpoint baseURL — no private IP validation on user-configured API bas… EPSS 0% CVE-2026-54033 affects ["< v0.8.4-rc1"]

HIGH

IDOR in API Keys Management allows any authenticated user to overwrite other users' API keys EPSS 0% CVE-2026-31942 affects ["<= 0.7.6"]

HIGH

SSRF protection bypass via IPv4-mapped IPv6 normalization in isPrivateIP EPSS 0% CVE-2026-31943 affects ["v0.8.3-rc2"]

HIGH

LibreChat Server-Side Request Forgery using DNS resolution EPSS 0% CVE-2026-31945 affects ["v0.8.2-rc2, v0.8.2-rc3, v0.8.2"]

HIGH

MCP OAuth callback does not validate browser session, allows token theft via redirect link EPSS 0% CVE-2026-31944 affects [">= v0.8.2, <= 0.8.2-rc3"]

HIGH

LibreChat Insufficient Access Control on Agent Files EPSS 0% CVE-2025-69220 affects ["0.8.1-rc2"]

HIGH

JSON Injection on chat POST leading to remote resource inclusion - may lead to PXSS on image upload EPSS 0% CVE-2025-66450 affects ["0.8.0"]

HIGH

Server-side Request Forgery (SSRF) in Actions Capability EPSS 0% CVE-2025-66201 affects ["< 0.8.1-rc2"]

HIGH

Reading of arbitrary Chats EPSS 0% CVE-2025-54868 affects ["v0.0.6 - v0.7.7"]

MEDIUM

2FA Backup Code Regeneration Without OTP Verification Allows 2FA Bypass EPSS 0% CVE-2026-54040 affects ["<= 0.8.3"]

MEDIUM

Incomplete Fix for CVE-2025-7105 — /api/convos/duplicate Lacks Rate Limiting Applied to /api/convos/… EPSS 0% CVE-2026-54037 affects ["<= 0.8.3"]

MEDIUM

Shared-agent editor can globally delete owner's file records — breaks owner's other private agents EPSS 0% CVE-2026-44654 affects ["<= 0.8.3"]

MEDIUM

Image Upload Route Bypasses Agent Permission Check — Incomplete Fix for File Upload Authorization EPSS 0% CVE-2026-54027 affects ["<= 0.8.3"]

MEDIUM

IDOR in Message Deletion — Incomplete Fix for CVE-2024-41703 Leaves deleteMessages() Without User Fi… EPSS 0% CVE-2026-54029 affects ["<= 0.8.3"]

MEDIUM

Shared MCP Server View Leaks Decrypted Admin Secrets EPSS 0% CVE-2026-44653 affects ["v0.8.3"]

MEDIUM

Incomplete Fix for CVE-2024-11171 — Conversation Import Multer Instance Missing File Size Limits EPSS 0% CVE-2026-54024 affects ["<= 0.8.3"]

tool safety1 findings · grade factor +0

highdangerous code
env-secret-flows-to-network-js: A process environment value (often a secret/token) flows into a network call — possible credential exfiltration. (/tmp/obs-code-H863z1/danny-avila-L

skills & danger signalsgithub-tarball

prompt-surface shipped agent-instruction files + hidden-content / dangerous-code findings — quoted from the analyzed source

analyzed commit 8154a31 · analyzer v17 · 23h ago

skills & prompt files 3

danger signals2

over-broad OAuth scopehttps://www.googleapis.com/auth/cloud-platformdanny-avila-LibreChat-8154a31/packages/api/src/endpoints/anthropic/vertex.ts:194scopes: 'https://www.googleapis.com/auth/cloud-platform',
over-broad OAuth scopehttps://www.googleapis.com/auth/cloud-platformdanny-avila-LibreChat-8154a31/packages/api/src/files/mistral/crud.ts:553scope: 'https://www.googleapis.com/auth/cloud-platform',

other grade factorsevidence elsewhere

recent drift+20 capability drift →

embed badgereadme-ready

[![MCP Observatory risk grade](https://mcpobservatory.com/servers/github:danny-avila/LibreChat/badge.svg)](https://mcpobservatory.com/servers/github:danny-avila/LibreChat/security)

Heuristic, inferred signals — false positives (legitimately powerful tools, forks, language ports) are expected. Treat each as "review this", not a verdict. See the ecosystem-wide picture on the security hub, or the fleet security of danny-avila.

danny-avila/LibreChat

skills & prompt files 3

danger signals2

Navigate

Stream

Display