Vulnerability Details CVE-2025-8850
In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication (2FA) flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend does not properly validate the OTP or backup code when the API endpoint '/api/auth/2fa/disable' is directly accessed. This flaw can be exploited by authenticated users to weaken the security of their own accounts, although it does not lead to full account compromise.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 11.0%
CVSS Severity
CVSS v3 Score 3.1
References