DirectorySecurity AdvisoriesPricing
/
Sign in
Security Advisories

CVE-2025-66452

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-66452

Severity

Unknown

Summary

LibreChat's lack of JSON parsing error handling can lead to XSS

Description

LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, there is no handler for JSON parsing errors; SyntaxError from express.json() includes user input in the error message, which gets reflected in responses. User input (including HTML/JavaScript) can be exposed in error responses, creating an XSS risk if Content-Type isn't strictly enforced. This issue does not have a fix at the time of publication.

References

  • https://images.chainguard.dev/security/CGA-f8f8-9946-frhf
  • https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66452.json
  • https://github.com/danny-avila/LibreChat/security/advisories/GHSA-q6c5-gvj5-c264
  • https://nvd.nist.gov/vuln/detail/CVE-2025-66452

Affected packages

The trusted source for open source

Talk to an expert
© 2025 Chainguard. All Rights Reserved.
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0Golden ImagesCVE RemediationPublic Sector

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogPartnersNewsroomCareersLegal