CVE-2024-12580

MEDIUM

danny-avila/librechat <0.7.6 - Code Injection

Title source: llm

Description

A vulnerability in danny-avila/librechat prior to version 0.7.6 allows for logs debug injection. The parameters sessionId, fileId, userId, and file_id in the /code/download/:sessionId/:fileId and /download/:userId/:file_id APIs are not validated or filtered, leading to potential log injection attacks. This can cause distortion of monitoring and investigation information, evade detection from security systems, and create difficulties in maintenance and operation.

References (2)

[Patch] https://github.com/danny-avila/librechat/commit/95d6bd2c2db4a09b308be2b96e3d5fd522c7b72a

View Patch ZIP pw:eip

[Exploit, Third Party Advisory] https://huntr.com/bounties/6e477667-dcd4-42c2-b342-a6ce09ffdeeb

Scores

CVSS v3 5.3

EPSS 0.0015

EPSS Percentile 35.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-117

Status published

Products (1)

librechat/librechat < 0.7.6

Published Mar 20, 2025

Tracked Since Feb 18, 2026