CVE-2024-12580

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-12580

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-12580.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-12580

Published

2025-03-20T10:15:29Z

Modified

2025-03-20T20:00:05Z

Summary

[none]

Details

A vulnerability in danny-avila/librechat prior to version 0.7.6 allows for logs debug injection. The parameters sessionId, fileId, userId, and fileid in the /code/download/:sessionId/:fileId and /download/:userId/:fileid APIs are not validated or filtered, leading to potential log injection attacks. This can cause distortion of monitoring and investigation information, evade detection from security systems, and create difficulties in maintenance and operation.

References

Affected packages

Git / github.com/danny-avila/librechat

Affected ranges

Type: GIT
Repo: https://github.com/danny-avila/librechat
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

95d6bd2c2db4a09b308be2b96e3d5fd522c7b72a