LibreChat Stored Cross-Site Scripting Vulnerability via Modifiable iconURL Parameter

A stored cross-site scripting vulnerability has been identified in LibreChat versions through 0.8.0. The issue arises because the iconURL parameter in POST requests can be manipulated by users. This modified URL is saved in the chat history and can be shared with others. When the chat link is accessed, the recipient's browser loads resources from the potentially malicious URL, leading to privacy concerns. The vulnerability has been patched in version 0.8.1.

Impact

Exploitation of this vulnerability could result in stored cross-site scripting, where injected scripts are executed in the context of the user viewing the chat.

Reproduction

To reproduce this vulnerability, send a POST request to the chat endpoint with a modified iconURL parameter that includes a link to an external resource, such as an image. Once the chat is saved, share the chat link with another user. When the recipient opens the chat, their browser will fetch the resource from the malicious URL, demonstrating the privacy breach.

Remediation

Users can update to LibreChat version 0.8.1 to address this vulnerability.