JSON Parsing Error Handling in LibreChat by Danny Avila
CVE-2025-66452

5.3MEDIUM

Key Information:

Vendor: Danny-avila
Status: Librechat
Vendor: CVE Published:; 11 December 2025

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2025-66452?

In LibreChat versions up to 0.8.0, a lack of proper error handling for JSON parsing can expose user input errors in error messages. When the express.json() method encounters a SyntaxError, it includes user input that could be HTML or JavaScript, potentially leading to Cross-Site Scripting (XSS) vulnerabilities if strict Content-Type headers are not enforced. This exposure allows attackers to inject harmful scripts that can be reflected in responses, posing a serious security risk.

Affected Version(s)

LibreChat <= 0.8.1

References

https://github.com/danny-avila/LibreChat/security/advisor...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 11, 2025
Vulnerability Reserved
Dec 1, 2025

JSON