VDB

CVE-2025-66450

CVE-2025-66450 PUBLISHED CVSS 8.600000381469727 HIGH

LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when a user posts a question, the iconURL parameter of the POST request can be modified by an attacker. The malicious code is then stored in the chat which can then be shared to other users. When sharing chats with a potentially malicious “tracker”, resources loaded can lead to loss of privacy for users who view the chat link that is sent to them. This issue is fixed in version 0.8.1.

EPSS 0.03% · 8.1th percentile

Risk Scores

CVSS v4.0
8.600000381469727
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N
EPSS Score
0.03%
8.1th percentile

Affected Products

VendorProductVersions
danny-avilaLibreChat< 0.8.1
librechatlibrechat0

Timeline

  • Dec 1, 2025 CVE ID Reserved
  • Dec 11, 2025 CVE Published
  • Dec 12, 2025 EPSS Score
  • Dec 12, 2025 CVE Updated
  • Dec 16, 2025 EPSS Score
  • Dec 20, 2025 EPSS Score
  • Dec 24, 2025 EPSS Score
  • Dec 28, 2025 EPSS Score
  • Jan 1, 2026 EPSS Score
  • Jan 5, 2026 EPSS Score
  • Jan 9, 2026 EPSS Score
  • Jan 14, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›