What is the CVSS score of CVE-2025-6088?

CVE-2025-6088 has a CVSS 3.1 base score of 3.1 (Low). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Librechat are affected by CVE-2025-6088?

CVE-2025-6088 is a low-severity vulnerability (CVSS 3.1). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation.. A patch is available.

Is there a public PoC exploit available for CVE-2025-6088?

Yes, a public proof-of-concept exploit is available for CVE-2025-6088. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-6088?

During next maintenance window: Apply vendor patches when convenient. Vendor patch is available.

Librechat CVE-2025-6088

LOW

Improper Authorization (CWE-285)

2025-09-11 security@huntr.dev

Authentication Bypass Librechat

3.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

3.1 LOW

AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:11 vuln.today

Patch released

Mar 28, 2026 - 19:11 nvd

Patch available

PoC Detected

Oct 16, 2025 - 16:00 vuln.today

Public exploit code

CVE Published

Sep 11, 2025 - 01:15 nvd

LOW 3.1

DescriptionCVE.org

In version 0.7.8 of danny-avila/librechat, improper authorization controls in the conversation sharing feature allow unauthorized access to other users' conversations if the conversation ID is known. Although UUIDv4 conversation IDs are generated server-side and are difficult to brute force, they can be obtained from less-protected sources such as server-side access logs, browser history, or screenshots. The vulnerability permits a logged-in user to gain read-only access to another user's conversations by exploiting the /api/share/conversationID endpoint, which lacks authorization checks. This issue is resolved in version v0.7.9-rc1.

AnalysisAI

Technical ContextAI

This vulnerability is classified under CWE-285. In version 0.7.8 of danny-avila/librechat, improper authorization controls in the conversation sharing feature allow unauthorized access to other users' conversations if the conversation ID is known. Although UUIDv4 conversation IDs are generated server-side and are difficult to brute force, they can be obtained from less-protected sources such as server-side access logs, browser history, or screenshots. The vulnerability permits a logged-in user to gain read-only access to another user's conversations by exploiting the /api/share/conversationID endpoint, which lacks authorization checks. This issue is resolved in version v0.7.9-rc1. Affected products include: Librechat. Version information: version 0.7.8.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2025-6088 vulnerability details – vuln.today

Back

Librechat CVE-2025-6088

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code