CVE-2024-10359

MEDIUM

danny-avila/librechat <0.7.5-rc2 - Code Injection

Title source: llm

Description

In danny-avila/librechat version v0.7.5-rc2, a vulnerability exists in the preset creation functionality where a user can manipulate the user ID field through mass assignment. This allows an attacker to inject a different user ID into the preset object, causing the preset to appear in the UI of another user. The vulnerability arises because the backend saves the entire object received without validating the attributes and their values, impacting both integrity and confidentiality.

References (2)

[Patch] https://github.com/danny-avila/librechat/commit/e3e52402f69accc35c6d0acd9c3266ae1cb6333f

View Patch ZIP pw:eip

[Exploit, Third Party Advisory] https://huntr.com/bounties/bba65eb4-4c83-4f33-83c1-ede5ed0d5656

Scores

CVSS v3 4.6

EPSS 0.0027

EPSS Percentile 50.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-915

Status published

Products (1)

librechat/librechat 0.7.5 rc2

Published Mar 20, 2025

Tracked Since Feb 18, 2026