[Bug]: Responsible Disclosure of Potential Security Vulnerabilities #3315
-
What happened?The AppSec team at REA Group have performed a penetration test of LibreChat and have discovered a number of security vulnerabilities. We would like to work with the maintainer of LibreChat to discuss impact, remediation, and whether they should be raised as CVEs. We have opted to use communication method Option 2 of your Security Policy (raising this issue). Trying to create a security issue in the repo only links to the security policy and we can't raise an advisory from there. Please advise for the best way to engage you; ideally an email address (is contact@librechat.ai still appropriate?). We would prefer not to use Discord for this communication. Thanks team! Steps to ReproduceTo be discussed in private channels. What browsers are you seeing the problem on?No response Relevant log outputNo response ScreenshotsNo response Code of Conduct
|
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 1 reply
-
mailto:contact@librechat.ai Works, thank you |
Beta Was this translation helpful? Give feedback.
-
Could you please highlight the security issues? |
Beta Was this translation helpful? Give feedback.
-
Hi all, two CVEs have been reserved for the vulnerabilities raised:
@danny-avila FYI, we will contact you further by email to discuss the fixes you merged recently (#3363). Thanks! |
Beta Was this translation helpful? Give feedback.
-
Hi all, full write-ups of the vulnerabilities have been published: Please update to at least v0.7.4 as both issues have been fixed in that version. Happy to close this discussion. Thanks again @danny-avila for all your help in getting these merged! |
Beta Was this translation helpful? Give feedback.
Hi all, full write-ups of the vulnerabilities have been published:
Please update to at least v0.7.4 as both issues have been fixed in that version. Happy to close this discussion.
Thanks again @danny-avila for all your help in getting these merged!