AI & LLM Vulnerabilities

The fluent-plugin-opentelemetry plugin's HTTP input lacks size limits, allowing attackers to send huge or highly compressed files that consume excessive memory when decompressed, causing a DoS (denial of service, a type of attack that makes a service unavailable) attack by crashing the Fluentd logging process. If the OpenTelemetry endpoint (a connection point that accepts telemetry data) is exposed to untrusted networks, an attacker can exploit this to disrupt all log collection on the affected server.

The opentelemetry_sdk library had a vulnerability where it didn't check size limits before processing baggage headers (metadata passed between services in distributed tracing, which is used in observability and monitoring). An attacker could send extremely large headers that would waste CPU and memory while being parsed, even though they'd eventually be rejected, potentially causing a denial-of-service attack (making a service unavailable by overwhelming it with resource requests).

The langgraph-sdk (a Python library for making HTTP requests to LangGraph services) had a vulnerability where it directly inserted user-supplied identifier values into URLs without encoding them. This meant special characters in identifiers could change which resource was accessed, potentially allowing users to access, modify, or delete resources they shouldn't have permission to change, especially in systems that check permissions based on the URL path. The vulnerability only affects applications that pass unvalidated user input directly to SDK methods.

LangGraph's `JsonPlusSerializer` (a tool that converts JSON data back into Python objects) has a vulnerability where checkpoint files (saved states of an AI workflow) stored insecurely could be modified by attackers and cause arbitrary code execution (running attacker-chosen commands) when the checkpoint is loaded. This risk only applies if someone gains unauthorized write access to where checkpoints are stored, but the concern is converting that storage access into full control of the running application.

ToolJet, an open-source platform for building internal tools and AI agents, had a security flaw in versions before 3.20.1780-lts where an authenticated endpoint (POST /api/data-sources/decrypt) could decrypt sensitive database credentials for any organization if you knew the credential ID, even if you weren't part of that organization. This is a cross-tenant confidentiality breach (unauthorized access to another organization's secrets) because the endpoint lacked proper security checks that other similar endpoints had.

LibreChat, a ChatGPT-like application supporting multiple AI providers, has a vulnerability in versions before 0.8.4-rc1 where the 2FA backup code regeneration endpoint doesn't verify the user's identity. An attacker with a stolen session token (a credential that keeps you logged in) can regenerate a victim's two-factor authentication backup codes and use them to bypass login security or disable 2FA entirely.

LibreChat, a tool that lets users chat with multiple AI providers, had an incomplete security fix. While developers added rate limiters (controls that limit how many requests can be made in a short time) to one endpoint called /fork to stop users from duplicating conversations too quickly, they forgot to add the same protection to a similar endpoint called /duplicate, which does the same resource-heavy database work. An authenticated user (someone with a valid login) could exploit this gap by using /duplicate instead of /fork to overwhelm the server.

LibreChat (a ChatGPT alternative that works with multiple AI services) has a vulnerability in versions before 0.8.4-rc1 where the message deletion API endpoint doesn't properly check ownership, allowing any logged-in user to permanently delete another user's messages by providing their own conversation ID along with someone else's message ID.

LibreChat, a ChatGPT-like application that works with multiple AI providers, has a vulnerability in its image upload feature (the POST /api/files/images endpoint) that allows any logged-in user to upload files to another user's agent tools without permission. The developers had previously added permission checks to a file upload route, but forgot to add the same checks to the image upload route, making it easy for attackers to bypass the security by using images instead of regular files. This issue is fixed in version 0.8.4-rc1.

LibreChat, a ChatGPT-like application that works with multiple AI providers, has a vulnerability in how it displays formatted text (markdown) before version 0.8.4-rc1. The marked library fails to properly escape special characters in image descriptions, allowing an attacker to hide malicious code in those descriptions. When a user views the formatted text, this hidden code executes in their browser without permission.

LibreChat is a ChatGPT-like application that works with multiple AI providers. Before version 0.8.4-rc1, a file upload endpoint called POST /api/convos/import didn't have proper file size restrictions, allowing logged-in users to upload very large files that could fill up a server's storage and memory. A previous security fix added size limits to other file uploads but missed this endpoint.

Claude Code's `/copy` command had a serious security flaw where it saved responses to an easily guessable file location (`/tmp/claude/response.md`) that any user on the system could read, potentially exposing secrets or credentials. An attacker could also create a symlink (a shortcut to another file) at that location to trick the command into overwriting any file they chose. This vulnerability required the attacker and a privileged user to be on the same computer.

LibreChat, a ChatGPT-like application supporting multiple AI providers, has a security flaw in versions before 0.8.4-rc1 where an attacker with a valid session token (a code that proves you're logged in) can disable a user's two-factor authentication (2FA, an extra security layer requiring a second verification step) without permission. The attacker can overwrite the TOTP secret (a code used to generate login verification codes) and backup codes, then disable 2FA entirely, locking the real owner out of their account.