Improper input validation in Danny-avila Librechat

CVE-2025-66451

LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when creating prompts, JSON requests are sent to define and modify the prompts via PATCH endpoint for prompt groups (/api/prompts/groups/:groupId). However…

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.001 (26.7th percentile) — read the EPSS interpretation.

Affected products

Danny-avila Librechat — versions < 0.8.1

Weakness classification (CWE)

References

https://github.com/danny-avila/LibreChat/security/advisories/GHSA-vpqq-5qr4-655h (x_refsource_CONFIRM)
https://github.com/danny-avila/LibreChat/commit/01413eea3d3c1454d32ca9704fa9640407839737 (x_refsource_MISC)