Log Injection Vulnerability in LibreChat by Danny Avila
CVE-2024-12580

5.3MEDIUM

Key Information:

Vendor

Danny-avila

Status
Danny-avila/librechat
Vendor
CVE Published:
20 March 2025

What is CVE-2024-12580?

A vulnerability in LibreChat allows attackers to perform log injection due to unvalidated parameters in specific API endpoints. In this case, the parameters sessionId, fileId, userId, and file_id are not properly validated or filtered. This lack of protection may result in log entries being tampered with, complicating monitoring, investigation efforts, and detection by security measures. Such vulnerabilities can lead to significant challenges in maintenance and operational effectiveness.

Affected Version(s)

danny-avila/librechat < 0.7.6

References

https://huntr.com/bounties/6e477667-dcd4-42c2-b342-a6ce09...
https://github.com/danny-avila/librechat/commit/95d6bd2c2...

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.