CVE-2025-6088— Improper Authorization in danny-avila/librechat

Improper Authorization in danny-avila/librechat

In version 0.7.8 of danny-avila/librechat, improper authorization controls in the conversation sharing feature allow unauthorized access to other users' conversations if the conversation ID is known. Although UUIDv4 conversation IDs are generated server-side and are difficult to brute force, they can be obtained from less-protected sources such as server-side access logs, browser history, or screenshots. The vulnerability permits a logged-in user to gain read-only access to another user's conversations by exploiting the `/api/share/conversationID` endpoint, which lacks authorization checks. This issue is resolved in version v0.7.9-rc1.

N/A

授权机制不恰当

LibreChat 授权问题漏洞

LibreChat是Danny Avila个人开发者的一个增强的 ChatGPT 克隆。 LibreChat 0.7.8版本存在授权问题漏洞，该漏洞源于对话共享功能授权控制不当，可能导致未授权访问其他用户对话。

N/A

N/A