cnvd - cnvd-2025-06062

cnvd-2025-06062

Vulnerability from cnvd

Title: LibreChat访问控制不当漏洞

Description:

LibreChat是一个增强的ChatGPT克隆。

LibreChat存在访问控制不当漏洞，攻击者可利用该漏洞破坏应用程序逻辑和权限，允许未经授权的操作。

Severity: 中

Patch Name: LibreChat访问控制不当漏洞的补丁

Patch Description:

LibreChat是一个增强的ChatGPT克隆。

LibreChat存在访问控制不当漏洞，攻击者可利用该漏洞破坏应用程序逻辑和权限，允许未经授权的操作。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/danny-avila/librechat/commit/42a4d02c62e2a6cf677d1cb6cfcb36d136aaa599

Reference: https://github.com/danny-avila/librechat/commit/42a4d02c62e2a6cf677d1cb6cfcb36d136aaa599

Impacted products

Name
Danny Avila LibreChat 0.7.5

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-10363",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-10363"
    }
  },
  "description": "LibreChat\u662f\u4e00\u4e2a\u589e\u5f3a\u7684ChatGPT\u514b\u9686\u3002\n\nLibreChat\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u4e0d\u5f53\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7834\u574f\u5e94\u7528\u7a0b\u5e8f\u903b\u8f91\u548c\u6743\u9650\uff0c\u5141\u8bb8\u672a\u7ecf\u6388\u6743\u7684\u64cd\u4f5c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/danny-avila/librechat/commit/42a4d02c62e2a6cf677d1cb6cfcb36d136aaa599",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-06062",
  "openTime": "2025-03-28",
  "patchDescription": "LibreChat\u662f\u4e00\u4e2a\u589e\u5f3a\u7684ChatGPT\u514b\u9686\u3002\r\n\r\nLibreChat\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u4e0d\u5f53\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7834\u574f\u5e94\u7528\u7a0b\u5e8f\u903b\u8f91\u548c\u6743\u9650\uff0c\u5141\u8bb8\u672a\u7ecf\u6388\u6743\u7684\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "LibreChat\u8bbf\u95ee\u63a7\u5236\u4e0d\u5f53\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Danny Avila LibreChat 0.7.5"
  },
  "referenceLink": "https://github.com/danny-avila/librechat/commit/42a4d02c62e2a6cf677d1cb6cfcb36d136aaa599",
  "serverity": "\u4e2d",
  "submitTime": "2025-03-27",
  "title": "LibreChat\u8bbf\u95ee\u63a7\u5236\u4e0d\u5f53\u6f0f\u6d1e"
}

CVE-2024-10363 (GCVE-0-2024-10363)

Vulnerability from cvelistv5

Published

2025-03-20 10:10

Modified

2025-03-20 18:23

Severity ?

5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-284 - Improper Access Control

Summary

In version 0.7.5 of danny-avila/LibreChat, there is an improper access control vulnerability. Users can share, use, and create prompts without being granted permission by the admin. This can break application logic and permissions, allowing unauthorized actions.

References

▼	URL	Tags
	https://huntr.com/bounties/41a1137d-e725-4fec-b04c-58555cb16b6b
	https://github.com/danny-avila/librechat/commit/42a4d02c62e2a6cf677d1cb6cfcb36d136aaa599

Impacted products

	Vendor	Product	Version
	danny-avila	danny-avila/librechat	Version: unspecified < 0.7.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-10363",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-20T17:49:04.319980Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-20T18:23:18.794Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "danny-avila/librechat",
          "vendor": "danny-avila",
          "versions": [
            {
              "lessThan": "0.7.5",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In version 0.7.5 of danny-avila/LibreChat, there is an improper access control vulnerability. Users can share, use, and create prompts without being granted permission by the admin. This can break application logic and permissions, allowing unauthorized actions."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-20T10:10:19.050Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/41a1137d-e725-4fec-b04c-58555cb16b6b"
        },
        {
          "url": "https://github.com/danny-avila/librechat/commit/42a4d02c62e2a6cf677d1cb6cfcb36d136aaa599"
        }
      ],
      "source": {
        "advisory": "41a1137d-e725-4fec-b04c-58555cb16b6b",
        "discovery": "EXTERNAL"
      },
      "title": "Improper Access Control in danny-avila/LibreChat"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-10363",
    "datePublished": "2025-03-20T10:10:19.050Z",
    "dateReserved": "2024-10-24T18:59:25.577Z",
    "dateUpdated": "2025-03-20T18:23:18.794Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted