CVE-2025-66451 is a vulnerability identified in the LibreChat application, a ChatGPT clone with extended features, affecting versions 0.8.0 and below. The issue stems from improper input validation (CWE-20) and insufficient sanitization of user-supplied JSON data in the PATCH endpoint /api/prompts/groups/:groupId, which is used to create and modify prompt groups. Specifically, the patchPromptGroup function forwards the entire req.body directly to the updatePromptGroup() function without filtering or validating sensitive fields. This lack of validation allows an attacker to craft malicious JSON payloads that modify prompt group properties beyond the intended scope defined by the front-end interface. The vulnerability could enable unauthorized changes to prompt configurations, potentially impacting the integrity of the prompts and the behavior of the chatbot. The CVSS 4.0 vector indicates the attack can be performed remotely (AV:N) with low attack complexity (AC:L), no privileges required (PR:N), but requires user interaction (UI:P). The impact on confidentiality and integrity is low to limited, with no effect on availability. The vulnerability was fixed in LibreChat version 0.8.1 by implementing proper input validation and filtering of sensitive fields in the PATCH endpoint. No known exploits have been reported in the wild as of the publication date.

For European organizations deploying LibreChat versions below 0.8.1, this vulnerability poses a risk of unauthorized modification of prompt groups, which could lead to manipulation of chatbot responses or workflows relying on prompt configurations. While the confidentiality impact is limited, the integrity of the chatbot's behavior could be compromised, potentially misleading users or automating unintended actions. This could affect sectors relying on accurate AI-driven communication, such as customer support, education, or internal knowledge management. Since no authentication is required, any user with access to the API endpoint could exploit this vulnerability, increasing the risk in multi-tenant or public-facing deployments. The absence of known exploits reduces immediate risk, but the medium severity score suggests organizations should prioritize remediation to prevent potential misuse. The impact on availability is negligible, so denial of service is unlikely. Overall, the threat could undermine trust in AI-driven services and lead to reputational damage or operational disruptions if prompt manipulation is leveraged maliciously.

European organizations should immediately upgrade LibreChat installations to version 0.8.1 or later, where the vulnerability is patched. If upgrading is not immediately feasible, implement strict input validation and sanitization on the server side for the PATCH /api/prompts/groups/:groupId endpoint to ensure only allowed fields are modified. Employ API gateway or web application firewall (WAF) rules to detect and block anomalous JSON payloads attempting to alter sensitive fields. Restrict access to the prompt group modification API to authenticated and authorized users only, even if the vulnerability does not require authentication, to reduce attack surface. Monitor logs for unusual PATCH requests or prompt modifications indicative of exploitation attempts. Conduct regular security audits and penetration testing focused on API endpoints handling user input. Educate developers and administrators about secure coding practices, emphasizing input validation and least privilege principles. Finally, maintain an incident response plan to quickly address any detected exploitation.