VYPR
High severity8.5NVD Advisory· Published Mar 27, 2026· Updated Mar 31, 2026

CVE-2026-31943

CVE-2026-31943

Description

LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, isPrivateIP() in packages/api/src/auth/domain.ts fails to detect IPv4-mapped IPv6 addresses in their hex-normalized form, allowing any authenticated user to bypass SSRF protection and make the server issue HTTP requests to internal network resources — including cloud metadata services (e.g., AWS 169.254.169.254), loopback, and RFC1918 ranges. Version 0.8.3 fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

4
  • cpe:2.3:a:librechat:librechat:*:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:a:librechat:librechat:*:*:*:*:*:*:*:*range: <0.8.3
    • cpe:2.3:a:librechat:librechat:0.8.3:rc1:*:*:*:*:*:*
    • cpe:2.3:a:librechat:librechat:0.8.3:rc2:*:*:*:*:*:*
    • (no CPE)range: <0.8.3

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.