CVE-2025-66451
📋 TL;DR
This vulnerability in LibreChat allows authenticated users to modify prompt groups in unintended ways by sending malformed JSON requests to the PATCH endpoint. The lack of input validation enables manipulation of sensitive fields that should be restricted. All LibreChat instances running versions 0.8.0 or below are affected.
💻 Affected Systems
- LibreChat
📦 What is this software?
Librechat by Librechat
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify critical system prompts to inject malicious content, potentially leading to data manipulation, privilege escalation, or disruption of chat functionality.
Likely Case
Authenticated users could alter prompt configurations beyond their intended permissions, causing inconsistent behavior or unauthorized changes to chat system prompts.
If Mitigated
With proper input validation and access controls, only authorized modifications to prompt groups would be permitted, maintaining system integrity.
🎯 Exploit Status
Exploitation requires authenticated access to the LibreChat API endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.8.1
Vendor Advisory: https://github.com/danny-avila/LibreChat/security/advisories/GHSA-vpqq-5qr4-655h
Restart Required: Yes
Instructions:
1. Backup your LibreChat instance and data. 2. Update to version 0.8.1 or later using your package manager or by pulling the latest code from GitHub. 3. Restart the LibreChat service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Middleware
allImplement custom middleware to validate and sanitize JSON input for the /api/prompts/groups/:groupId PATCH endpoint
API Endpoint Restriction
allTemporarily restrict or disable the vulnerable PATCH endpoint until patching is possible
🧯 If You Can't Patch
- Implement strict input validation for all JSON requests to the prompt groups API
- Add additional authentication and authorization checks for prompt modification operations
🔍 How to Verify
Check if Vulnerable:
Check if LibreChat version is 0.8.0 or below by examining package.json or running version check commandCheck Version:
Check package.json for version field or use: npm list @librechat/backend (if installed via npm)Verify Fix Applied:
Confirm version is 0.8.1 or later and test that malformed JSON requests to the PATCH endpoint are properly rejected📡 Detection & Monitoring
Log Indicators:
- Unusual PATCH requests to /api/prompts/groups/* endpoint
- Failed input validation errors
- Unexpected prompt modifications
Network Indicators:
- Malformed JSON payloads sent to prompt group endpoints
- Unusual API call patterns to prompt modification endpoints
SIEM Query:
source="librechat" AND (endpoint="/api/prompts/groups/*" AND method="PATCH") AND (status=200 OR status=400) | stats count by src_ip, user