cnvd - cnvd-2025-06062

CNVD-2025-06062

Vulnerability from cnvd - Published: 2025-03-28

Title

LibreChat访问控制不当漏洞

Description

LibreChat是一个增强的ChatGPT克隆。 LibreChat存在访问控制不当漏洞，攻击者可利用该漏洞破坏应用程序逻辑和权限，允许未经授权的操作。

Severity

中

Patch Name

LibreChat访问控制不当漏洞的补丁

Patch Description

LibreChat是一个增强的ChatGPT克隆。 LibreChat存在访问控制不当漏洞，攻击者可利用该漏洞破坏应用程序逻辑和权限，允许未经授权的操作。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/danny-avila/librechat/commit/42a4d02c62e2a6cf677d1cb6cfcb36d136aaa599

Reference

https://github.com/danny-avila/librechat/commit/42a4d02c62e2a6cf677d1cb6cfcb36d136aaa599

Impacted products

Name
Danny Avila LibreChat 0.7.5

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-10363",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-10363"
    }
  },
  "description": "LibreChat\u662f\u4e00\u4e2a\u589e\u5f3a\u7684ChatGPT\u514b\u9686\u3002\n\nLibreChat\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u4e0d\u5f53\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7834\u574f\u5e94\u7528\u7a0b\u5e8f\u903b\u8f91\u548c\u6743\u9650\uff0c\u5141\u8bb8\u672a\u7ecf\u6388\u6743\u7684\u64cd\u4f5c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/danny-avila/librechat/commit/42a4d02c62e2a6cf677d1cb6cfcb36d136aaa599",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-06062",
  "openTime": "2025-03-28",
  "patchDescription": "LibreChat\u662f\u4e00\u4e2a\u589e\u5f3a\u7684ChatGPT\u514b\u9686\u3002\r\n\r\nLibreChat\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u4e0d\u5f53\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7834\u574f\u5e94\u7528\u7a0b\u5e8f\u903b\u8f91\u548c\u6743\u9650\uff0c\u5141\u8bb8\u672a\u7ecf\u6388\u6743\u7684\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "LibreChat\u8bbf\u95ee\u63a7\u5236\u4e0d\u5f53\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Danny Avila LibreChat 0.7.5"
  },
  "referenceLink": "https://github.com/danny-avila/librechat/commit/42a4d02c62e2a6cf677d1cb6cfcb36d136aaa599",
  "serverity": "\u4e2d",
  "submitTime": "2025-03-27",
  "title": "LibreChat\u8bbf\u95ee\u63a7\u5236\u4e0d\u5f53\u6f0f\u6d1e"
}

CVE-2024-10363 (GCVE-0-2024-10363)

Vulnerability from cvelistv5 – Published: 2025-03-20 10:10 – Updated: 2025-10-15 12:49

Summary

In version 0.7.5 of danny-avila/LibreChat, there is an improper access control vulnerability. Users can share, use, and create prompts without being granted permission by the admin. This can break application logic and permissions, allowing unauthorized actions.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-862 - Missing Authorization

Assigner

@huntr_ai

References

URL

Tags

	https://huntr.com/bounties/41a1137d-e725-4fec-b04…
	https://github.com/danny-avila/librechat/commit/4…

Impacted products

	Vendor	Product	Version
	danny-avila	danny-avila/librechat	Affected: unspecified , < 0.7.5 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-10363",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-20T17:49:04.319980Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-20T18:23:18.794Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "danny-avila/librechat",
          "vendor": "danny-avila",
          "versions": [
            {
              "lessThan": "0.7.5",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In version 0.7.5 of danny-avila/LibreChat, there is an improper access control vulnerability. Users can share, use, and create prompts without being granted permission by the admin. This can break application logic and permissions, allowing unauthorized actions."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-15T12:49:26.990Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/41a1137d-e725-4fec-b04c-58555cb16b6b"
        },
        {
          "url": "https://github.com/danny-avila/librechat/commit/42a4d02c62e2a6cf677d1cb6cfcb36d136aaa599"
        }
      ],
      "source": {
        "advisory": "41a1137d-e725-4fec-b04c-58555cb16b6b",
        "discovery": "EXTERNAL"
      },
      "title": "Improper Access Control in danny-avila/LibreChat"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-10363",
    "datePublished": "2025-03-20T10:10:19.050Z",
    "dateReserved": "2024-10-24T18:59:25.577Z",
    "dateUpdated": "2025-10-15T12:49:26.990Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-06062

CVE-2024-10363 (GCVE-0-2024-10363)

Tags

Sightings

Nomenclature