CVE-2025-66452
📋 TL;DR
LibreChat versions 0.8.0 and below expose user input in JSON parsing error messages, which can be reflected in HTTP responses. This creates a cross-site scripting (XSS) vulnerability where attackers can inject malicious scripts that execute in victims' browsers. Anyone running vulnerable LibreChat instances is affected.
💻 Affected Systems
- LibreChat
📦 What is this software?
Librechat by Librechat
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, or redirect users to malicious sites through persistent XSS payloads.
Likely Case
Reflected XSS attacks where attackers trick users into submitting malformed JSON payloads, leading to script execution in the victim's browser context.
If Mitigated
With proper Content-Type enforcement and input validation, the risk is limited to error message exposure without script execution.
🎯 Exploit Status
Exploitation requires sending malformed JSON payloads and tricking users into viewing error responses.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None
Vendor Advisory: https://github.com/danny-avila/LibreChat/security/advisories/GHSA-q6c5-gvj5-c264
Restart Required: No
Instructions:
No official patch available. Monitor the GitHub advisory for updates and apply when released.
🔧 Temporary Workarounds
Implement custom JSON error handler
allAdd middleware to catch JSON parsing errors and return generic error messages without user input.
// Add this middleware after express.json()
app.use((err, req, res, next) => {
if (err instanceof SyntaxError && err.status === 400 && 'body' in err) {
return res.status(400).json({ error: 'Invalid JSON' });
}
next(err);
});
Enforce strict Content-Type headers
allConfigure web server or middleware to reject requests without proper Content-Type: application/json header.
// Express middleware example
app.use((req, res, next) => {
if (req.method === 'POST' && !req.is('application/json')) {
return res.status(415).send('Unsupported Media Type');
}
next();
});
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules
- Disable or restrict access to vulnerable LibreChat instances
🔍 How to Verify
Check if Vulnerable:
Send a POST request with malformed JSON (e.g., {"test":}) and check if error response contains the malformed input.Check Version:
Check package.json for LibreChat version or run: npm list librechatVerify Fix Applied:
After applying workarounds, test with malformed JSON payloads and verify responses contain generic error messages without user input.📡 Detection & Monitoring
Log Indicators:
- HTTP 400 responses with JSON parsing errors
- Error messages containing user-submitted data
Network Indicators:
- POST requests with malformed JSON payloads
- Responses containing <script> tags or JavaScript in error messages
SIEM Query:
http.status_code=400 AND http.request_body:*{* AND http.response_body:*<script>*