CVE-2024-12580

Logs Debug Injection in danny-avila/librechat

CVSS 4.3 MEDIUMEPSS 0.5%CWE-117

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.3EPSS 0.5%KEV nãoPoC —Patch —

Lifecycle

Mar 20, 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A vulnerability in danny-avila/librechat prior to version 0.7.6 allows for logs debug injection. The parameters sessionId, fileId, userId, and file_id in the /code/download/:sessionId/:fileId and /download/:userId/:file_id APIs are not validated or filtered, leading to potential log injection attacks. This can cause distortion of monitoring and investigation information, evade detection from security systems, and create difficulties in maintenance and operation.

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Affected products

danny-avila · danny-avila/librechat

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/danny-avila/librechat/commit/95d6bd2c2db4a09b308be2b96e3d5fd522c7b72a https://huntr.com/bounties/6e477667-dcd4-42c2-b342-a6ce09ffdeeb