CVE-2024-12580

Medium CVSS: 5.3

A vulnerability in danny-avila/librechat prior to version 0.7.6 allows for logs debug injection. The parameters sessionId, fileId, userId, and file_id in the /code/download/:sessionId/:fileId and /download/:userId/:file_id APIs are not validated or filtered, leading to potential log injection attacks. This can cause distortion of monitoring and investigation information, evade detection from security systems, and create difficulties in maintenance and operation.

Vendor

Librechat

Product

Librechat

CWE

CWE-117

Yayın Tarihi

2025-03-20 10:15:29

Güncelleme

2025-07-14 17:56:24

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-117 Librechat MEDIUM Librechat 2025

Referanslar

https://github.com/danny-avila/librechat/commit/95d6bd2c2db4a09b308be2b96e3d5fd522c7b72a https://huntr.com/bounties/6e477667-dcd4-42c2-b342-a6ce09ffdeeb

Benzer Kayıtlar

High

CVE-2026-31945

LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side…

Medium

CVE-2026-31950

LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc2 through 0.8.2-rc3, the SSE streaming endpoi…

Medium

CVE-2026-31951

LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model…

High

CVE-2026-31943

LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, `isPrivateIP()` in `packages/api/src/auth…

Medium

CVE-2026-33265

In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API.

High

CVE-2025-41258

LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the se…