[Bug]: Responsible Disclosure of Potential Security Vulnerabilities

[DeenoB]

What happened?

The AppSec team at REA Group have performed a penetration test of LibreChat and have discovered a number of security vulnerabilities. We would like to work with the maintainer of LibreChat to discuss impact, remediation, and whether they should be raised as CVEs.

We have opted to use communication method Option 2 of your Security Policy (raising this issue). Trying to create a security issue in the repo only links to the security policy and we can't raise an advisory from there.

Please advise for the best way to engage you; ideally an email address (is contact@librechat.ai still appropriate?). We would prefer not to use Discord for this communication. Thanks team!

Steps to Reproduce

To be discussed in private channels.

What browsers are you seeing the problem on?

No response

Relevant log output

No response

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

mailto:contact@librechat.ai Works, thank you

[R-Prady]

Could you please highlight the security issues?

[DeenoB]

Hi @R-Prady, I emailed Danny in private and it seems like he has merged fix code for the issues.
I'll continue to discuss with him to see if he would like us to disclose them publicly and/or raise CVEs for them. I'd prefer to hold off until a fix version has been released which contains the fixes. Cheers!

[DeenoB]

Hi all, two CVEs have been reserved for the vulnerabilities raised:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41703
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41704

@danny-avila FYI, we will contact you further by email to discuss the fixes you merged recently (#3363). Thanks!