Insecure API Design in LibreChat Affects User Authentication Security
CVE-2025-8850

3.1LOW

Key Information:

Vendor: Danny-avila
Status: Danny-avila/librechat
Vendor: CVE Published:; 30 October 2025

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2025-8850?

In version 0.7.9 of LibreChat developed by danny-avila, a flaw in the API allows users to disable 2-Factor Authentication (2FA) without providing a valid one-time password (OTP) or backup code. This design oversight permits authenticated users to bypass critical security measures, thereby undermining the integrity of their accounts. The vulnerability arises from the backend's failure to validate authentication inputs on the '/api/auth/2fa/disable' endpoint effectively. While this does not grant full account access to unauthorized actors, it significantly weakens account security for users who may unknowingly expose themselves to risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

danny-avila/librechat < unspecified

References

https://huntr.com/bounties/8e615709-f4de-41e2-b194-f0d91e...

https://github.com/danny-avila/librechat/commit/7e4c8a5d0...

CVSS V3.0

Score:

3.1

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 30, 2025
Vulnerability Reserved
Aug 10, 2025

JSON

Danny-avila

What is CVE-2025-8850?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.0

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.