Home > Vulnerability Database > CVE-2025-66450

Mend.io Vulnerability Database

CVE-2025-66450

Good to know:

Date: December 11, 2025

LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when a user posts a question, the iconURL parameter of the POST request can be modified by an attacker. The malicious code is then stored in the chat which can then be shared to other users. When sharing chats with a potentially malicious “tracker”, resources loaded can lead to loss of privacy for users who view the chat link that is sent to them. This issue is fixed in version 0.8.1.

Severity Score

5.4

Related Resources (4)

Url: https://github.com/danny-avila/LibreChat/commit/6fa94d3eb8f5779363226d10dccf8b01a735744c

Url: https://github.com/danny-avila/LibreChat/security/advisories/GHSA-84vx-vmcf-xgpp

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66450

Url: https://www.mend.io/vulnerability-database/CVE-2025-66450

Severity Score

5.4

Weakness Type (CWE)

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-80

Top Fix

Upgrade Version

Upgrade to version https://github.com/danny-avila/LibreChat.git - v0.8.1

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66450

Good to know:

Date: December 11, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?