CVE-2025-41258

| EUVD-2025-208825 HIGH
2026-03-18 sba-research
8.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 18, 2026 - 11:30 euvd
EUVD-2025-208825
Analysis Generated
Mar 18, 2026 - 11:30 vuln.today
CVE Published
Mar 18, 2026 - 11:08 nvd
HIGH 8.0

Tags

Authentication Bypass

Description

LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API.

Analysis

A critical authentication bypass vulnerability exists in LibreChat version 0.8.1-rc2 where the same JWT secret is reused for both user session management and the RAG (Retrieval-Augmented Generation) API authentication. This design flaw allows authenticated users to compromise service-level authentication of the RAG API by leveraging their session tokens to access or manipulate the RAG service beyond intended privileges. No active exploitation (KEV) has been reported, but a detailed security advisory with technical analysis is publicly available from SBA Research.

Technical Context

LibreChat is a web-based chat application (cpe:2.3:a:danny-avila:librechat) that implements RAG (Retrieval-Augmented Generation) functionality for enhanced AI responses. The vulnerability stems from CWE-284 (Improper Access Control) where the application uses a shared JWT signing secret across different security boundaries. When the same cryptographic key material is used to sign tokens for user sessions and service-level API authentication, users can potentially forge or reuse their session JWTs to authenticate to backend services that should have separate authentication mechanisms. This violates the principle of defense in depth and breaks service isolation.

Affected Products

LibreChat version 0.8.1-rc2 is confirmed vulnerable as reported by SBA Research and documented in EUVD-2025-208825. The affected product is identified via CPE string cpe:2.3:a:danny-avila:librechat:*:*:*:*:*:*:*:* maintained by developer danny-avila. The vulnerability specifically impacts the release candidate version 0.8.1-rc2 where JWT secret reuse compromises RAG API authentication. The official LibreChat repository is available at https://github.com/danny-avila/LibreChat and the detailed security advisory from SBA Research is published at https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251205-01_LibreChat_RAG_API_Authentication_Bypass.

Remediation

Users running LibreChat version 0.8.1-rc2 should immediately upgrade to a patched version or implement separate JWT secrets for user session management and RAG API authentication by modifying the application configuration to use distinct cryptographic keys for each authentication domain. Review the SBA Research security advisory at https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251205-01_LibreChat_RAG_API_Authentication_Bypass for detailed technical guidance and consult the official LibreChat repository at https://github.com/danny-avila/LibreChat for patch availability and upgrade instructions. As an interim mitigation, restrict network access to the RAG API endpoints to only trusted service accounts and implement additional authorization checks to validate that JWT tokens used for RAG API access originate from legitimate service contexts rather than user sessions.

Priority Score

40
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +40
POC: 0

Share

CVE-2025-41258 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy