[Bug]: Responsible Disclosure of Potential Security Vulnerabilities #3315

DeenoB · 2024-07-10T06:13:49Z

DeenoB
Jul 10, 2024

What happened?

The AppSec team at REA Group have performed a penetration test of LibreChat and have discovered a number of security vulnerabilities. We would like to work with the maintainer of LibreChat to discuss impact, remediation, and whether they should be raised as CVEs.

We have opted to use communication method Option 2 of your Security Policy (raising this issue). Trying to create a security issue in the repo only links to the security policy and we can't raise an advisory from there.

Please advise for the best way to engage you; ideally an email address (is contact@librechat.ai still appropriate?). We would prefer not to use Discord for this communication. Thanks team!

Steps to Reproduce

To be discussed in private channels.

What browsers are you seeing the problem on?

No response

Relevant log output

No response

Screenshots

No response

Code of Conduct

I agree to follow this project's Code of Conduct

Answered by DeenoB

Aug 20, 2024

Hi all, full write-ups of the vulnerabilities have been published:

Please update to at least v0.7.4 as both issues have been fixed in that version. Happy to close this discussion.

Thanks again @danny-avila for all your help in getting these merged!

View full answer

danny-avila · 2024-07-10T06:17:01Z

danny-avila
Jul 10, 2024
Maintainer

mailto:contact@librechat.ai Works, thank you

0 replies

R-Prady · 2024-07-17T11:16:18Z

R-Prady
Jul 17, 2024

Could you please highlight the security issues?

1 reply

DeenoB Jul 17, 2024
Author

Hi @R-Prady, I emailed Danny in private and it seems like he has merged fix code for the issues.
I'll continue to discuss with him to see if he would like us to disclose them publicly and/or raise CVEs for them. I'd prefer to hold off until a fix version has been released which contains the fixes. Cheers!

DeenoB · 2024-07-22T11:17:27Z

DeenoB
Jul 22, 2024
Author

Hi all, two CVEs have been reserved for the vulnerabilities raised:

@danny-avila FYI, we will contact you further by email to discuss the fixes you merged recently (#3363). Thanks!

0 replies

DeenoB · 2024-08-20T05:26:03Z

DeenoB
Aug 20, 2024
Author

Hi all, full write-ups of the vulnerabilities have been published:

Please update to at least v0.7.4 as both issues have been fixed in that version. Happy to close this discussion.

Thanks again @danny-avila for all your help in getting these merged!

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug]: Responsible Disclosure of Potential Security Vulnerabilities #3315

{{title}}

Replies: 4 comments 1 reply

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

[Bug]: Responsible Disclosure of Potential Security Vulnerabilities #3315

DeenoB Jul 10, 2024

What happened?

Steps to Reproduce

What browsers are you seeing the problem on?

Relevant log output

Screenshots

Code of Conduct

Replies: 4 comments · 1 reply

danny-avila Jul 10, 2024 Maintainer

R-Prady Jul 17, 2024

DeenoB Jul 17, 2024 Author

DeenoB Jul 22, 2024 Author

DeenoB Aug 20, 2024 Author

DeenoB
Jul 10, 2024

Replies: 4 comments 1 reply

danny-avila
Jul 10, 2024
Maintainer

R-Prady
Jul 17, 2024

DeenoB Jul 17, 2024
Author

DeenoB
Jul 22, 2024
Author

DeenoB
Aug 20, 2024
Author