How to fix CVE-2025-6088?

During next maintenance window: Apply vendor patches when convenient. Vendor patch is available.

Is Librechat affected by CVE-2025-6088?

CVE-2025-6088 is a low-severity vulnerability (CVSS 3.1). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation. A patch is available and can be applied during standard maintenance windows.

CVE-2025-6088

LOW

2025-09-11 [email protected]

3.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:11 vuln.today

Patch Released

Mar 28, 2026 - 19:11 nvd

Patch available

PoC Detected

Oct 16, 2025 - 16:00 vuln.today

Public exploit code

CVE Published

Sep 11, 2025 - 01:15 nvd

LOW 3.1

Description

In version 0.7.8 of danny-avila/librechat, improper authorization controls in the conversation sharing feature allow unauthorized access to other users' conversations if the conversation ID is known. Although UUIDv4 conversation IDs are generated server-side and are difficult to brute force, they can be obtained from less-protected sources such as server-side access logs, browser history, or screenshots. The vulnerability permits a logged-in user to gain read-only access to another user's conversations by exploiting the `/api/share/conversationID` endpoint, which lacks authorization checks. This issue is resolved in version v0.7.9-rc1.

Analysis

Technical Context

This vulnerability is classified under CWE-285. In version 0.7.8 of danny-avila/librechat, improper authorization controls in the conversation sharing feature allow unauthorized access to other users' conversations if the conversation ID is known. Although UUIDv4 conversation IDs are generated server-side and are difficult to brute force, they can be obtained from less-protected sources such as server-side access logs, browser history, or screenshots. The vulnerability permits a logged-in user to gain read-only access to another user's conversations by exploiting the `/api/share/conversationID` endpoint, which lacks authorization checks. This issue is resolved in version v0.7.9-rc1. Affected products include: Librechat. Version information: version 0.7.8.

Affected Products

Librechat.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +16

POC: +20

CVE-2025-6088 vulnerability details – vuln.today

Back

CVE-2025-6088

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-6088

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code