CVE-2025-8850: 
Chainguard vulnerability analysis and mitigation

A vulnerability was discovered in danny-avila/librechat version 0.7.9 related to an insecure API design in the Two-Factor Authentication (2FA) flow. The vulnerability (CVE-2025-8850) was disclosed on October 30, 2025, affecting the 2FA disable functionality. The issue allows authenticated users to disable 2FA without providing proper verification through OTP or backup codes (NVD).

The vulnerability stems from an insecure API design where the backend fails to properly validate One-Time Password (OTP) or backup codes when the API endpoint '/api/auth/2fa/disable' is directly accessed. The vulnerability has been assigned a CVSS v3.0 base score of 3.1 (LOW) with the vector string CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N. The weakness is classified as CWE-440 (Expected Behavior Violation) (NVD).

While the vulnerability does not lead to full account compromise, it allows authenticated users to bypass the intended verification process and weaken the security of their own accounts by disabling 2FA without proper verification (NVD).

A fix has been implemented that requires proper verification through either a valid OTP token or backup code when disabling 2FA. The patch ensures that the backend properly validates these credentials before allowing the 2FA disable operation (Github Commit).