CVE-2024-12580 — MEDIUM (5.3)

Q: How severe is CVE-2024-12580?

CVE-2024-12580 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-12580?

Check the references section above for vendor advisories and patch information. Affected products include: Librechat Librechat.

Vulnerability Description

A vulnerability in danny-avila/librechat prior to version 0.7.6 allows for logs debug injection. The parameters sessionId, fileId, userId, and file_id in the /code/download/:sessionId/:fileId and /download/:userId/:file_id APIs are not validated or filtered, leading to potential log injection attacks. This can cause distortion of monitoring and investigation information, evade detection from security systems, and create difficulties in maintenance and operation.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Librechat	Librechat	< 0.7.6

Related Weaknesses (CWE)

CWE-117

References

https://github.com/danny-avila/librechat/commit/95d6bd2c2db4a09b308be2b96e3d5fd5Patch
https://huntr.com/bounties/6e477667-dcd4-42c2-b342-a6ce09ffdeebExploitThird Party Advisory

FAQ

What is CVE-2024-12580?

CVE-2024-12580 is a vulnerability with a CVSS score of 5.3 (MEDIUM). A vulnerability in danny-avila/librechat prior to version 0.7.6 allows for logs debug injection. The parameters sessionId, fileId, userId, and file_id in the /code/download/:sessionId/:fileId and /dow...

How severe is CVE-2024-12580?

CVE-2024-12580 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-12580?

Check the references section above for vendor advisories and patch information. Affected products include: Librechat Librechat.