CVE-2026-54025 in LibreChat
Summary
by MITRE • 06/25/2026
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, there is a vulnerability in LibreChat's markdown artifact preview pipeline. The marked library v15.0.12 does not HTML-escape double-quote characters in image alt text when a custom renderer falls through to the default renderer. LibreChat's generateMarkdownHtml function (in client/src/utils/markdown.ts) installs a custom image renderer that returns false for URLs passing the isSafeUrl allowlist check, which causes marked to fall back to its built-in renderer. That built-in renderer inserts the raw alt text into the alt="..." attribute without escaping double-quote characters. An attacker can craft an alt text such as " onload="payload to break out of the attribute and inject an arbitrary event handler. The resulting HTML is then assigned to document.getElementById('content').innerHTML inside the Sandpack preview iframe, causing the payload to execute in the victim's browser. This vulnerability is fixed in 0.8.4-rc1.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
This vulnerability exists within LibreChat's markdown artifact preview functionality where the marked library version 15.0.12 fails to properly HTML-escape double-quote characters in image alt text attributes when custom renderers fall back to default behavior. The issue stems from LibreChat's implementation of the generateMarkdownHtml function in client/src/utils/markdown.ts which establishes a custom image renderer that returns false for URLs not passing the isSafeUrl allowlist validation. When this occurs, the marked library automatically falls back to its built-in renderer instead of the custom one, creating an execution path where raw alt text content bypasses proper sanitization.
The technical flaw specifically targets the HTML attribute injection mechanism within the alt="..." parameter where double-quote characters are not properly escaped, allowing malicious payloads to break out of the intended attribute context. Attackers can exploit this by crafting alt text containing sequences like " onload="payload which successfully escapes the attribute boundaries and injects arbitrary event handlers into the rendered HTML. This vulnerability represents a classic cross-site scripting attack vector that leverages improper input sanitization in markdown processing pipelines.
The operational impact of this vulnerability is significant as it enables remote code execution within victims' browsers when they view maliciously crafted markdown content through LibreChat's preview functionality. The payload executes within the Sandpack preview iframe context, which operates with the privileges and permissions of the user viewing the content, potentially leading to session hijacking, data exfiltration, or further exploitation of the victim's system. This affects all users who interact with markdown content generated by the vulnerable version of LibreChat.
The vulnerability aligns with CWE-79 (Cross-site Scripting) and CWE-116 (Improper Encoding or Escaping of Output) classifications, mapping to ATT&CK technique T1203 (Exploitation for Client Execution) in the execution phase. Organizations using LibreChat versions prior to 0.8.4-rc1 should immediately implement mitigations including upgrading to the patched version, implementing strict content validation for alt text attributes, and potentially adding additional sanitization layers before HTML assignment to DOM elements. The fix in 0.8.4-rc1 addresses this by ensuring proper HTML escaping of special characters in alt text during the markdown rendering process, preventing attribute injection attacks while maintaining functionality.