CVE-2025-8850

Name of the Vulnerable Software and Affected Versions librechat version 0.7.9

Description The software has an insecure API design in the 2-Factor Authentication (2FA) flow. The system permits users to disable 2FA without a valid One-Time Password (OTP) or backup code, circumventing the verification process. This occurs because the backend does not validate the OTP or backup code when the API endpoint /api/auth/2fa/disable is accessed. An authenticated user can exploit this to weaken their account security.

Recommendations Ensure proper validation of OTP or backup codes when accessing the /api/auth/2fa/disable endpoint.