Description

A vulnerability in danny-avila/librechat version 0.7.9 allows for HTML injection via the Accept-Language header. When a logged-in user sends an HTTP GET request with a crafted Accept-Language header, arbitrary HTML can be injected into the <html lang=""> tag of the response. This can lead to potential security risks such as cross-site scripting (XSS) attacks.

INFO

Published Date :

2025-10-22T13:54:00.389Z

Last Modified :

2025-10-30T18:22:51.121Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2025-8848 vulnerability.

Vendors Products
Librechat
  • Librechat
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-8848.

URL Resource
https://huntr.com/bounties/a05ebc1f-882a-4adc-b178-d3cefa4b730e cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact