CVE-2024-12580

Name of the Vulnerable Software and Affected Versions danny-avila/librechat versions prior to 0.7.6

Description A vulnerability in the software allows for logs debug injection. The parameters sessionId, fileId, userId, and file id in the "/code/download/:sessionId/:fileId" and "/download/:userId/:file id" API endpoints are not validated or filtered, leading to potential log injection attacks. This can cause distortion of monitoring and investigation information, evade detection from security systems, and create difficulties in maintenance and operation.

Recommendations For versions prior to 0.7.6, update to version 0.7.6 or later to resolve the issue. As a temporary workaround, consider validating and filtering the sessionId, fileId, userId, and file id parameters in the affected API endpoints to prevent log injection attacks.