CVE-2025-8850HIGH 8.8EPSS p30.0%

CVE-2025-8850CVE-2025-8850

Description

In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication (2FA) flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend does not properly validate the OTP or backup code when the API endpoint '/api/auth/2fa/disable' is directly accessed. This flaw can be exploited by authenticated users to weaken the security of their own accounts, although it does not lead to full account compromise.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.38% probability of exploitation · percentile 30.0% · 2026-06-19T12:03:05Z
Published2025-10-30
Last modified2025-11-19

Underlying weaknesses· 1

CWE-440

References

  1. https://github.com/danny-avila/librechat/commit/7e4c8a5d0d2dbe5bf8fd272ff6acafb27d24744f
  2. https://huntr.com/bounties/8e615709-f4de-41e2-b194-f0d91ed7c75e

1

TypeTargetConfidenceTier
WeaknessExpected Behavior Violationcwe-4400%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-41258
CVE
CVE-2026-33265
CVE
CVE-2025-66201
CVE
CVE-2025-69222
CVE
CVE-2026-28514
CVE
CVE-2026-4208
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.