Description

In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication (2FA) flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend does not properly validate the OTP or backup code when the API endpoint '/api/auth/2fa/disable' is directly accessed. This flaw can be exploited by authenticated users to weaken the security of their own accounts, although it does not lead to full account compromise.

INFO

Published Date :

2025-10-30T19:59:36.327Z

Last Modified :

2025-11-05T14:57:26.783Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2025-8850 vulnerability.

Vendors Products
Librechat
  • Librechat
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-8850.

URL Resource
https://github.com/danny-avila/librechat/commit/7e4c8a5d0d2dbe5bf8fd272ff6acafb27d24744f cve-icon cve-icon
https://huntr.com/bounties/8e615709-f4de-41e2-b194-f0d91ed7c75e cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact