HTML Injection Vulnerability in LibreChat by Danny Avila
CVE-2025-8848

4.8MEDIUM

Key Information:

Vendor: Danny-avila
Status: Danny-avila/librechat
Vendor: CVE Published:; 22 October 2025

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2025-8848?

A vulnerability within the LibreChat application, specifically in version 0.7.9, allows for HTML injection through the Accept-Language header. When an authenticated user sends an HTTP GET request with a specially crafted Accept-Language header, it can lead to the inclusion of arbitrary HTML in the response's tag. This vulnerability may expose the application to security threats, including potential cross-site scripting (XSS) exploits, which can compromise user data and application integrity.

Affected Version(s)

danny-avila/librechat <= unspecified

References

https://huntr.com/bounties/a05ebc1f-882a-4adc-b178-d3cefa...

CVSS V3.0

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 22, 2025
Vulnerability Reserved
Aug 10, 2025

CVE-2025-8848 Data

JSON