Mass Assignment Vulnerability in LibreChat by Danny Avila
CVE-2025-7104

4.3MEDIUM

Key Information:

Vendor

Danny-avila

Status
Danny-avila/librechat
Vendor
CVE Published:
29 September 2025

What is CVE-2025-7104?

The mass assignment vulnerability in LibreChat permits attackers to exploit weaknesses in data binding, enabling unauthorized manipulation of sensitive fields. By automatically binding user-supplied data to internal properties or database entries without adequate validation or filtering, this flaw allows for the overwriting of essential attributes like author details, access permissions, and project identifiers. The implementation also risks Object.Prototype pollution through the use of the Object.assign method with spread operators, consequently amplifying potential attack vectors.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

danny-avila/librechat < unspecified

References

https://huntr.com/bounties/32a175c4-7543-4503-a3d0-7880ab...
https://github.com/danny-avila/librechat/commit/a37bf6719...

CVSS V3.0

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.