VDB
CVE-2025-66451
CVE-2025-66451
PUBLISHED
CVSS 5.300000190734863 MEDIUM
LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when creating prompts, JSON requests are sent to define and modify the prompts via PATCH endpoint for prompt groups (/api/prompts/groups/:groupId). However, the request bodies are not sufficiently validated for proper input, enabling users to modify prompts in a way that was not intended as part of the front end system. The patchPromptGroup function passes req.body directly to updatePromptGroup() without filtering sensitive fields. This issue is fixed in version 0.8.1.
EPSS 0.10% · 26.7th percentile
Risk Scores
CVSS v4.0
5.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.10%
26.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| librechat | librechat | 0 |
| danny-avila | LibreChat | < 0.8.1 |
Timeline
- Dec 1, 2025 CVE ID Reserved
- Dec 11, 2025 CVE Published
- Dec 11, 2025 PoC Published
- Dec 12, 2025 EPSS Score
- Dec 12, 2025 CVE Updated
- Dec 16, 2025 EPSS Score
- Dec 20, 2025 EPSS Score
- Dec 24, 2025 EPSS Score
- Dec 28, 2025 EPSS Score
- Jan 1, 2026 EPSS Score
- Jan 5, 2026 EPSS Score
- Jan 9, 2026 EPSS Score