Mass Assignment Vulnerability in LibreChat by Danny Avila
CVE-2025-7104

4.3MEDIUM

Key Information:

Vendor: Danny-avila
Status: Danny-avila/librechat
Vendor: CVE Published:; 29 September 2025

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2025-7104?

The mass assignment vulnerability in LibreChat permits attackers to exploit weaknesses in data binding, enabling unauthorized manipulation of sensitive fields. By automatically binding user-supplied data to internal properties or database entries without adequate validation or filtering, this flaw allows for the overwriting of essential attributes like author details, access permissions, and project identifiers. The implementation also risks Object.Prototype pollution through the use of the Object.assign method with spread operators, consequently amplifying potential attack vectors.

Affected Version(s)

danny-avila/librechat < unspecified

References

https://huntr.com/bounties/32a175c4-7543-4503-a3d0-7880ab...

https://github.com/danny-avila/librechat/commit/a37bf6719...

CVSS V3.0

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 29, 2025
Vulnerability Reserved
Jul 5, 2025

CVE-2025-7104 Data

JSON