* 🛡️ fix: Prevent ReDoS in YouTube URL extraction for URL Context The YouTube detection/strip regexes ran as a single global pass over authenticated, user-controlled chat text. The engine could restart at every `youtube.com/watch?` occurrence and the lazy `\S*?&` rescanned the rest of a long non-whitespace token each time, giving quadratic CPU behavior that blocks the Node event loop (DoS) for Google/Vertex agents with url_context enabled. - Tokenize on whitespace and skip tokens longer than a real URL, and cap the total text scanned, so work is bounded to O(n). URLs never contain whitespace, so per-token matching is equivalent. - Replace the lazy unbounded `(?:\S*?&)?` with the delimiter-bounded `(?:[^\s&]*&)*` (no behavior change for real URLs). - Apply the same discipline to the strip path. - Add ReDoS regression tests; a 3MB crafted input now completes in <10ms. * 🛡️ fix: Bound the YouTube strip scan by the same total budget Address Codex P1: the strip path applied only the per-token cap, so a valid URL followed by many sub-cap malformed tokens still regex-scanned the entire message (~1s on 3MB). Injected ids only come from the first MAX_YOUTUBE_SCAN_CHARS (extraction's cap), so a link beyond that is never in injectedIds anyway; cap the strip scan at the same budget and leave the tail verbatim. 3MB PoC: ~1s -> ~14ms. * 🧬 fix: Make YouTube URL matching linear instead of capping the scan The previous fix bounded the scan with per-token + total-scan caps, but the total-scan cap discarded content: a URL near the end of a long prompt was missed (extraction sliced to 100k), and large prepended file/quote context exhausted the strip budget before the real URL (strip skipped it). Codex round 2 (P2 x2). Replace the backtracking-prone matcher with a linear one: a single regex captures host + path/query (greedy `[^\s]*`, bounded `{1,63}`/`{0,10}` subdomain repetition, no lazy/ambiguous quantifier), and the video id is parsed from the capture afterwards. This is O(n) over arbitrary input, so the scan caps (and the content they discarded) are removed entirely. Extraction and stripping now scan the whole message linearly. Benchmarks (no caps): 3MB attack token ~3ms, 3MB many-token ~4ms, valid URL at end of 3MB found in ~18ms. Adds regression tests for long-prompt extraction and stripping past large prepended context. * 🔡 fix: Match adjacent + capitalized YouTube URLs after linear rewrite Codex round 3 (regressions from the linear matcher): - Stop the path capture at URL-list delimiters (`,` `)` `]` `<` `>`, none of which occur in a real YouTube URL) so adjacent links in one token (comma-separated or markdown `](url1)](url2)`) are matched separately instead of swallowed. - Lowercase the path segment before matching route names, since the detection regex is case-insensitive (`/WATCH?v=`, `/EMBED/`). * 🔒 fix: Allowlist URL chars + bounded path parsing for YouTube matching Codex round 4: - Replace the path stop-char blocklist with an allowlist of characters that occur in real YouTube URLs, so adjacent links separated by any prose delimiter (`;`, `|`, etc.) are matched separately instead of swallowed. - Parse the route with anchored, bounded regexes instead of `path.split('/')`, so a malformed path of millions of slashes no longer allocates a huge array / blocks the event loop. Also bounds the `v=` param read. * 🎯 fix: Restrict YouTube matcher to recognized video routes Codex round 5: a nested video URL inside an unrecognized YouTube URL (`youtube.com/redirect?q=https://youtu.be/<id>`) was swallowed by the greedy match and missed. Restrict the matcher to recognized single-video forms (youtu.be/<id>, /(shorts|live|embed|v)/<id>, /watch?<query>) so an unrecognized route doesn't match and the global scan continues into the nested link. Stays linear (verified: 3MB redirect/slash/host floods all <25ms) and keeps the allowlist tail so adjacent links still split. Adds nested-URL + unrecognized-route regression tests. * 🎬 fix: Find nested watch links + skip malformed v= duplicates Codex round 6 (P3 watch-query edges): - Drop `:` from the path allowlist. It never occurs in a real YouTube path/query, but `://` of a nested URL does — so `watch?url=https://youtu.be/<id>` now stops the watch match and the scan finds the nested link. - Scan every `v=` param and return the first valid 11-char id, so a malformed earlier `v=` (e.g. `watch?v=tooShort&v=<valid>`) no longer shadows a later valid one. * 🧹 fix: Strip whole YouTube URL incl. colon-containing trailing params Codex round 7: dropping `:` from the tail (round 6) made the strip path stop mid-URL on a URL-valued param (`watch?v=<id>&next=https://example.com`), leaving `://example.com` orphaned. Use a separate strip matcher whose tail re-includes `:` so the whole URL token is removed, while detection keeps the `:`-excluded tail to still find nested video links. Also corrects a stale "per-token cap" comment left over from the linear rewrite. |
||
|---|---|---|
| .devcontainer | ||
| .do/gitnexus | ||
| .github | ||
| .husky | ||
| .vscode | ||
| api | ||
| client | ||
| config | ||
| e2e | ||
| helm | ||
| packages | ||
| redis-config | ||
| scripts | ||
| skill | ||
| src/tests | ||
| utils | ||
| .dockerignore | ||
| .env.example | ||
| .gitattributes | ||
| .gitignore | ||
| .nvmrc | ||
| .prettierrc | ||
| AGENTS.md | ||
| bun.lock | ||
| CLAUDE.md | ||
| deploy-compose.yml | ||
| docker-compose.override.yml.example | ||
| docker-compose.yml | ||
| Dockerfile | ||
| Dockerfile.multi | ||
| eslint.config.mjs | ||
| librechat.example.yaml | ||
| LICENSE | ||
| package-lock.json | ||
| package.json | ||
| rag.yml | ||
| README.md | ||
| README.zh.md | ||
| turbo.json | ||
LibreChat
English · 中文
✨ Features
-
🖥️ UI & Experience inspired by ChatGPT with enhanced design and features
-
🤖 AI Model Selection:
- Anthropic (Claude), AWS Bedrock, OpenAI, Azure OpenAI, Google, Vertex AI, OpenAI Responses API (incl. Azure)
- Custom Endpoints: Use any OpenAI-compatible API with LibreChat, no proxy required
- Compatible with Local & Remote AI Providers:
- Ollama, groq, Cohere, Mistral AI, Apple MLX, koboldcpp, together.ai,
- OpenRouter, Helicone, Perplexity, ShuttleAI, Deepseek, Qwen, and more
-
- Secure, Sandboxed Execution in Python, Node.js (JS/TS), Go, C/C++, Java, PHP, Rust, and Fortran
- Seamless File Handling: Upload, process, and download files directly
- No Privacy Concerns: Fully isolated and secure execution
- Open-Source & Self-Hostable: powered by ClickHouse/code-interpreter
-
🔦 Agents & Tools Integration:
- LibreChat Agents:
- No-Code Custom Assistants: Build specialized, AI-driven helpers
- Agent Marketplace: Discover and deploy community-built agents
- Collaborative Sharing: Share agents with specific users and groups
- Flexible & Extensible: Use MCP Servers, tools, file search, code execution, and more
- Skills: Create reusable
SKILL.mdinstruction bundles for manual, automatic, or always-on agent workflows - Subagents: Delegate focused work to isolated child agent runs with their own context windows
- Compatible with Custom Endpoints, OpenAI, Azure, Anthropic, AWS Bedrock, Google, Vertex AI, Responses API, and more
- Model Context Protocol (MCP) Support for Tools
- LibreChat Agents:
-
🔍 Web Search:
- Search the internet and retrieve relevant information to enhance your AI context
- Combines search providers, content scrapers, and result rerankers for optimal results
- Customizable Jina Reranking: Configure custom Jina API URLs for reranking services
- Learn More →
-
🪄 Generative UI with Code Artifacts:
- Code Artifacts allow creation of React, HTML, and Mermaid diagrams directly in chat
-
🎨 Image Generation & Editing
- Text-to-image and image-to-image with GPT-Image-1
- Text-to-image with DALL-E (3/2), Stable Diffusion, Flux, or any MCP server
- Produce stunning visuals from prompts or refine existing images with a single instruction
-
💾 Presets & Context Management:
- Create, Save, & Share Custom Presets
- Switch between AI Endpoints and Presets mid-chat
- Edit, Resubmit, and Continue Messages with Conversation branching
- Create and share prompts with specific users and groups
- Fork Messages & Conversations for Advanced Context control
-
💬 Multimodal & File Interactions:
- Upload and analyze images with Claude 3, GPT-4.5, GPT-4o, o1, Llama-Vision, and Gemini 📸
- Chat with Files using Custom Endpoints, OpenAI, Azure, Anthropic, AWS Bedrock, & Google 🗃️
-
🌎 Multilingual UI:
- English, 中文 (简体), 中文 (繁體), العربية, Deutsch, Español, Français, Italiano
- Polski, Português (PT), Português (BR), Русский, 日本語, Svenska, 한국어, Tiếng Việt
- Türkçe, Nederlands, עברית, Català, Čeština, Dansk, Eesti, فارسی
- Suomi, Magyar, Հայերեն, Bahasa Indonesia, ქართული, Latviešu, ไทย, ئۇيغۇرچە
-
🧠 Reasoning UI:
- Dynamic Reasoning UI for Chain-of-Thought/Reasoning AI models like DeepSeek-R1
-
🎨 Customizable Interface:
- Customizable Dropdown & Interface that adapts to both power users and newcomers
-
- Never lose a response: AI responses automatically reconnect and resume if your connection drops
- Multi-Tab & Multi-Device Sync: Open the same chat in multiple tabs or pick up on another device
- Production-Ready: Works from single-server setups to horizontally scaled deployments with Redis
-
🗣️ Speech & Audio:
- Chat hands-free with Speech-to-Text and Text-to-Speech
- Automatically send and play Audio
- Supports OpenAI, Azure OpenAI, and Elevenlabs
-
📥 Import & Export Conversations:
- Import Conversations from LibreChat, ChatGPT, Chatbot UI
- Export conversations as screenshots, markdown, text, json
-
🔍 Search & Discovery:
- Search all messages/conversations
-
👥 Multi-User & Secure Access:
- Multi-User, Secure Authentication with OAuth2, LDAP, & Email Login Support
- Built-in Moderation, and Token spend tools
-
🎛️ Admin Panel:
- Browser-based UI to manage users, groups, roles, and configuration overrides
- Edit settings and per-role/group permissions live, without redeploying
- Bundled with the Docker Compose stacks for one-command setup
-
⚙️ Configuration & Deployment:
- Configure Proxy, Reverse Proxy, Docker, & many Deployment options
- Use S3 with CloudFront for stable media links, edge delivery, signed cookies, and secured downloads
- Use completely local or deploy on the cloud
-
📖 Open-Source & Community:
- Completely Open-Source & Built in Public
- Community-driven development, support, and feedback
For a thorough review of our features, see our docs here 📚
🪶 All-In-One AI Conversations with LibreChat
LibreChat is a self-hosted AI chat platform that unifies all major AI providers in a single, privacy-focused interface.
Beyond chat, LibreChat provides AI Agents, Model Context Protocol (MCP) support, Artifacts, Code Interpreter, custom actions, conversation search, and enterprise-ready multi-user authentication.
Open source, actively developed, and built for anyone who values control over their AI infrastructure.
🌐 Resources
GitHub Repo:
- RAG API: github.com/danny-avila/rag_api
- Website: github.com/LibreChat-AI/librechat.ai
Other:
- Website: librechat.ai
- Documentation: librechat.ai/docs
- Blog: librechat.ai/blog
📝 Changelog
Keep up with the latest updates by visiting the releases page and notes:
⚠️ Please consult the changelog for breaking changes before updating.
⭐ Star History
✨ Contributions
Contributions, suggestions, bug reports and fixes are welcome!
For new features, components, or extensions, please open an issue and discuss before sending a PR.
If you'd like to help translate LibreChat into your language, we'd love your contribution! Improving our translations not only makes LibreChat more accessible to users around the world but also enhances the overall user experience. Please check out our Translation Guide.
💖 This project exists in its current state thanks to all the people who contribute
🎉 Special Thanks
We thank Locize for their translation management tools that support multiple languages in LibreChat.