Unrated severityNVD Advisory· Published Dec 11, 2025· Updated Dec 12, 2025
LibreChat's Improper Input Validation in Prompt Creation API Enables Unauthorized Permission Changes
CVE-2025-66451
Description
LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when creating prompts, JSON requests are sent to define and modify the prompts via PATCH endpoint for prompt groups (/api/prompts/groups/:groupId). However, the request bodies are not sufficiently validated for proper input, enabling users to modify prompts in a way that was not intended as part of the front end system. The patchPromptGroup function passes req.body directly to updatePromptGroup() without filtering sensitive fields. This issue is fixed in version 0.8.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
5- osv-coords3 versions
< 0.8.1-r0+ 2 more
- (no CPE)range: < 0.8.1-r0
- (no CPE)range: < 0.8.1-r0
- (no CPE)range: < 0.8.1-r0
Patches
Vulnerability mechanics
References
2- github.com/danny-avila/LibreChat/commit/01413eea3d3c1454d32ca9704fa9640407839737mitrex_refsource_MISC
- github.com/danny-avila/LibreChat/security/advisories/GHSA-vpqq-5qr4-655hmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.