LibreChat JSON Parsing Error Handling Vulnerability Leading to Cross-Site Scripting

A cross-site scripting (XSS) vulnerability exists in LibreChat versions through 0.8.0 due to improper handling of JSON parsing errors. The 'express.json()' function can generate a SyntaxError that includes user input, which is then reflected in the HTTP response. This flaw allows for the inclusion of HTML and JavaScript in error messages, creating an XSS risk if the Content-Type is not strictly validated. The vulnerability arises because user-supplied data should not be echoed back without proper sanitization, especially in a production environment.

Impact

Exploitation of this vulnerability could lead to cross-site scripting, allowing for the injection of malicious scripts that could be executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a POST request to the '/d/prompts/{id}' endpoint with the Content-Type set to 'application/json'. Include HTML tags and JavaScript in the request body. The response will reflect the unprocessed user input, including any embedded scripts, which could be executed if the Content-Type is not properly enforced.