Insecure API Design in danny-avila/librechat
CVE-2025-8850

3.1LOW

Key Information:

Vendor: Danny-avila
Status: Danny-avila/librechat
Vendor: CVE Published:; 30 October 2025

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2025-8850?

In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication (2FA) flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend does not properly validate the OTP or backup code when the API endpoint '/api/auth/2fa/disable' is directly accessed. This flaw can be exploited by authenticated users to weaken the security of their own accounts, although it does not lead to full account compromise.

Affected Version(s)

danny-avila/librechat < unspecified

References

https://huntr.com/bounties/8e615709-f4de-41e2-b194-f0d91e...

https://github.com/danny-avila/librechat/commit/7e4c8a5d0...

CVSS V3.0

Score:

3.1

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 30, 2025
Vulnerability Reserved
Aug 10, 2025

JSON