In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication (2FA) flow. The system allows users to disable 2FA without requiring a valid OTP or backup
In version 0.7.5 of danny-avila/LibreChat, there is an improper access control vulnerability. Users can share, use, and create prompts without being granted permission by the admin. This can break app
danny-avila/librechat is affected by an authorization bypass vulnerability due to improper access control checks. The `checkAccess` function in `api/server/middleware/roles/access.js` uses `permission
LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.1-rc2, LibreChat is vulnerable to Server-side Request Forgery (SSRF), by passing specially crafted OpenAPI specs to its "Act
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.7.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API keys manag
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 is prone to a server-side request forgery (SSRF)
vulnerability due to missing restrictions of the Actions feature in the defaul
In danny-avila/librechat version v0.7.5-rc2, a vulnerability exists in the preset creation functionality where a user can manipulate the user ID field through mass assignment. This allows an attacker
A vulnerability in danny-avila/librechat prior to version 0.7.6 allows for logs debug injection. The parameters sessionId, fileId, userId, and file_id in the /code/download/:sessionId/:fileId and /dow
An improper access control vulnerability in danny-avila/librechat versions prior to 0.7.6 allows authenticated users to delete other users' prompts via the groupid parameter. This issue occurs because
A vulnerability in danny-avila/librechat version git a1647d7 allows an unauthenticated attacker to cause a denial of service by sending a crafted payload to the server. The middleware `checkBan` is no
In affected versions, vulnerability-lookup did not track or limit failed
One-Time Password (OTP) attempts during Two-Factor Authentication (2FA)
verification. An attacker who already knew or guessed
LibreChat version 0.7.9 is vulnerable to a Denial of Service (DoS) attack due to unbounded parameter values in the `/api/memories` endpoint. The `key` and `value` parameters accept arbitrarily large i
LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side request forgery (SSRF) attack when using agent actions or MCP. Although a previo
An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat version v0.7.5-rc2. The endpoint does not verify whether the provided attachment
2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to
A vulnerability in the EnableTwoFactorAuthRequest SOAP endpoint of Zimbra Collaboration (ZCS) allows an attacker with valid user credentials to bypass Two-Factor Authentication (2FA) protection. The a
LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model Context Protocol) servers can include arbitrary HTTP headers that undergo creden
LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, there is no handler for JSON parsing errors; SyntaxError from express.json() includes user input in the error messag
LibreChat is a ChatGPT clone with additional features. From 0.8.2 to 0.8.2-rc3, The MCP (Model Context Protocol) OAuth callback endpoint accepts the redirect from the identity provider and stores OAut
In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. The application uses multer middleware for handling multipart file uploads. When using in-memory stor
Page 1+ Next →