5.3

CVE-2024-12580

Exploit

EPSS 0.08%
Veröffentlicht 20.03.2025 10:09:16
Zuletzt bearbeitet 14.07.2025 17:56:24
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability in danny-avila/librechat prior to version 0.7.6 allows for logs debug injection. The parameters sessionId, fileId, userId, and file_id in the /code/download/:sessionId/:fileId and /download/:userId/:file_id APIs are not validated or filtered, leading to potential log injection attacks. This can cause distortion of monitoring and investigation information, evade detection from security systems, and create difficulties in maintenance and operation.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Librechat ≫ Librechat Version < 0.7.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.238

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
security@huntr.dev	4.3	2.8	1.4	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-117 Improper Output Neutralization for Logs

The product does not neutralize or incorrectly neutralizes output that is written to logs.

https://huntr.com/bounties/6e477667-dcd4-42c2-b342-a6ce09ffdeeb

Third Party Advisory

Exploit

https://github.com/danny-avila/librechat/commit/95d6bd2c2db4a09b308be2b96e3d5fd522c7b72a

Patch

https://nvd.nist.gov/vuln/detail/CVE-2024-12580

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-12580

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-12580

EUVD