CVE-2025-69220

Name: CVE-2025-69220
Creator: NVD / NIST
Published: 2026-01-07T21:15:59.547+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.9/10EPSS 0.28%

Last modified Jun 17, 2026

CVE-2025-69220 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. EPSS estimates a 0.28% chance of exploitation in the next 30 days.

Description

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior of arbitrary agents by uploading new files to the file context or file search, even if they have no permissions for this agent. This issue is fixed in version 0.8.2-rc2.

Metrics

CVSS 3.1

5.9/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Probability

0.28%

19.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Librechat	Librechat	0.8.1

References

https://cwe.mitre.org/data/definitions/284.htmlNot Applicable
https://cwe.mitre.org/data/definitions/862.htmlNot Applicable
https://github.com/danny-avila/LibreChat/commit/4b9c6ab1cb9de626736de700c7981f38be08d237Patch
https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2Release Notes
https://github.com/danny-avila/LibreChat/security/advisories/GHSA-xcmf-rpmh-hg59Exploit, Vendor Advisory
https://owasp.org/Top10/A01_2021-Broken_Access_ControlNot Applicable
https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.htmlTechnical Description
https://raw.githubusercontent.com/OWASP/ASVS/v5.0.0/5.0/OWASP_Application_Security_Verification_Standard_5.0.0_en.pdfTechnical Description

Timeline

Published: Jan 7, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2025-69220?

How severe is CVE-2025-69220?

CVE-2025-69220 has a CVSS score of 5.9/10 (MEDIUM severity). The EPSS model estimates a 0.28% probability of exploitation in the next 30 days.

How do I fix CVE-2025-69220?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-69220?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST