LibreChat, an enhanced ChatGPT clone, has a stored cross‑site scripting vulnerability that arises when image alt text is not properly escaped in the markdown preview pipeline. The marked library, used for rendering markdown, inserts raw alt text into an alt="…" attribute without escaping double‑quote characters. An attacker can craft alt text that includes a leading double‑quote followed by an onload attribute and arbitrary payload, breaking out of the attribute and injecting a malicious event handler. The malicious HTML is then injected into the Sandpack preview iframe, causing the payload to execute inside the victim’s browser. This flaw permits an attacker to run arbitrary client‑side code in the context of the LibreChat application, compromising confidentiality, integrity, or availability of user data stored in the client environment.

The affected product is LibreChat distributed by danny‑avila. Versions prior to 0.8.4‑rc1 are impacted; the issue is fixed in 0.8.4‑rc1 and later releases.

The reported CVSS score is 5.4, indicating a moderate severity. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit the flaw by submitting a crafted markdown artifact that includes malicious alt text; the attack requires a user to view the artifact preview, which is typically a local or social‑engineering scenario rather than a remote exploitation from an untrusted network source. Once the preview is rendered, the injected script executes with the privileges of the logged‑in user, potentially allowing session hijacking or data theft. Given the moderate CVSS score and the lack of automatic exploitation metrics, the overall risk is moderate but the impact can be high if the script runs in privileged contexts.