LibreChat is a ChatGPT clone with additional features. It's an open-source chat application that allows users to create and manage conversations. However, this vulnerability allows attackers to inject malicious code into the chat interface by manipulating the iconURL parameter in the POST request. This can lead to the sharing of chats with potentially malicious "tracker" resources, compromising user privacy.
You're affected if you use LibreChat version 0.8.0 and below. To check if you're running this software, run the following command: find / -name "librechat*.jar" (on Linux/macOS) or find %USERPROFILE%\AppData\Roaming\LibreChat (on Windows).
Note that LibreChat is a niche software, so if you don't recognize the name, you're probably not affected.
Version info: Affected versions: 0.8.0
To fix this vulnerability, upgrade to LibreChat version 0.8.1 or later. You can download the patched version from the GitHub repository: https://github.com/danny-avila/LibreChat/commit/6fa94d3eb8f5779363226d10dccf8b01a735744c
Immediate mitigations: