CVE-2025-7104

Name of the Vulnerable Software and Affected Versions librechat (affected versions not specified)

Description A mass assignment issue exists that allows manipulation of sensitive fields. Attackers can exploit this by automatically binding user-provided data to internal object properties or database fields without proper filtering. Extra fields in the request body are included in agentData and passed to the database layer, potentially overwriting fields like author, access level, isCollaborative, and projectIds. The use of Object.assign with spread operators can lead to Object.Prototype pollution.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.