PT-2025-50771 · Librechat · Librechat
Published
2025-12-11
·
Updated
2025-12-12
·
CVE-2025-66450
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
LibreChat versions 0.8.0 and below
Description
A flaw exists in LibreChat versions 0.8.0 and below where modification of the
iconURL parameter in a POST request allows an attacker to store malicious code within a chat. Sharing this chat with other users can lead to a loss of privacy for those who view the shared link, as resources loaded from the malicious link can compromise user data. The issue is related to cross-site scripting when sharing chat links.Recommendations
Update to version 0.8.1 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Librechat