Unauthorized User ID Manipulation in LibreChat by Danny Avila
CVE-2024-10359

4.6MEDIUM

Key Information:

Vendor: Danny-avila
Status: Danny-avila/librechat
Vendor: CVE Published:; 20 March 2025

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2024-10359?

In version v0.7.5-rc2 of LibreChat by Danny Avila, a vulnerability exists in the preset creation functionality that allows an attacker to manipulate the user ID field via mass assignment. This flaw enables an unauthorized user to inject a different user ID into the preset object. As a result, presets may incorrectly appear in the UI of other users, jeopardizing data integrity and confidentiality due to inadequate validation of received attributes by the backend.

Affected Version(s)

danny-avila/librechat < 0.7.5

References

https://huntr.com/bounties/bba65eb4-4c83-4f33-83c1-ede5ed...

https://github.com/danny-avila/librechat/commit/e3e52402f...

CVSS V3.0

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Oct 24, 2024