Insecure API Design in LibreChat Affects User Authentication Security
CVE-2025-8850

3.1LOW

Key Information:

Vendor: Danny-avila
Status: Danny-avila/librechat
Vendor: CVE Published:; 30 October 2025

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2025-8850?

In version 0.7.9 of LibreChat developed by danny-avila, a flaw in the API allows users to disable 2-Factor Authentication (2FA) without providing a valid one-time password (OTP) or backup code. This design oversight permits authenticated users to bypass critical security measures, thereby undermining the integrity of their accounts. The vulnerability arises from the backend's failure to validate authentication inputs on the '/api/auth/2fa/disable' endpoint effectively. While this does not grant full account access to unauthorized actors, it significantly weakens account security for users who may unknowingly expose themselves to risk.

Affected Version(s)

danny-avila/librechat < unspecified

References

https://huntr.com/bounties/8e615709-f4de-41e2-b194-f0d91e...

https://github.com/danny-avila/librechat/commit/7e4c8a5d0...

CVSS V3.0

Score:

3.1

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 30, 2025
Vulnerability Reserved
Aug 10, 2025

CVE-2025-8850 Data

JSON