Stored Cross-Site Scripting Vulnerability in LibreChat by Danny Avila
CVE-2025-66450

8.6HIGH

Key Information:

Vendor: Danny-avila
Status: Librechat
Vendor: CVE Published:; 11 December 2025

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2025-66450?

In LibreChat versions 0.8.0 and earlier, the application is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability. This occurs when an attacker manipulates the iconURL parameter during a POST request, allowing them to inject malicious code. The compromised code can then be stored within the chat's memory, which gets shared with other users. When these recipients open the shared chat, they potentially expose their privacy to unauthorized tracking mechanisms. This vulnerability poses significant privacy risks for users engaged in chat functionalities. To address this issue, users are recommended to upgrade to version 0.8.1 where this vulnerability has been resolved.

Affected Version(s)

LibreChat < 0.8.1

References

https://github.com/danny-avila/LibreChat/security/advisor...

x_refsource_CONFIRM

https://github.com/danny-avila/LibreChat/commit/6fa94d3eb...

x_refsource_MISC

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 11, 2025
Vulnerability Reserved
Dec 1, 2025

JSON