VYPR
Unrated severityNVD Advisory· Published Oct 30, 2025· Updated Nov 5, 2025

Insecure API Design in danny-avila/librechat

CVE-2025-8850

Description

In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication (2FA) flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend does not properly validate the OTP or backup code when the API endpoint '/api/auth/2fa/disable' is directly accessed. This flaw can be exploited by authenticated users to weaken the security of their own accounts, although it does not lead to full account compromise.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Range: = 0.7.9
  • danny-avila/danny-avila/librechatv5
    Range: unspecified

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.