Skip to main content
CVE Vulnerability Database

CVE-2025-7104: LibreChat Auth Bypass Vulnerability

CVE-2025-7104 is a mass assignment authentication bypass flaw in LibreChat that lets attackers manipulate sensitive fields and pollute Object.Prototype. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-7104 Overview

CVE-2025-7104 is a mass assignment vulnerability in danny-avila/librechat, an open-source AI chat platform. The flaw affects all versions and stems from the agent creation and update endpoints binding user-supplied request fields directly to internal object properties without filtering. Attackers can overwrite protected schema fields such as author, access_level, isCollaborative, and projectIds. The use of Object.assign with spread operators also enables prototype pollution against Object.prototype. The vulnerability is classified under CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes.

Critical Impact

Unauthenticated network attackers can overwrite arbitrary agent schema fields and pollute Object.prototype, compromising integrity of agent ownership, collaboration controls, and project assignments.

Affected Products

  • LibreChat — all versions prior to the patched release
  • Deployments using the agent creation and update endpoints in api/server/controllers/agents/v1.js
  • Self-hosted and containerized LibreChat instances exposed over the network

Discovery Timeline

  • 2025-09-29 - CVE-2025-7104 published to NVD
  • 2025-10-16 - Last updated in NVD database

Technical Details for CVE-2025-7104

Vulnerability Analysis

LibreChat exposes REST endpoints that accept JSON payloads for creating and updating AI agents. The controller logic passes the entire request body into agentData and forwards it to the database layer. No allowlist filters which fields a client may set. As a result, an attacker submits extra properties in the request body, and those properties are written to the persisted agent document.

Fields intended to be server-controlled, including author, access_level, isCollaborative, and projectIds, become attacker-controlled. An attacker can reassign agent ownership, escalate collaborative access, or attach agents to projects they should not influence. Beyond schema fields, the merge pattern uses Object.assign together with spread operators on untrusted input, which permits prototype pollution by sending crafted keys such as __proto__. Polluting Object.prototype can alter behavior of unrelated objects across the Node.js process.

Root Cause

The root cause is missing input validation and the absence of a strict schema allowlist on agent creation and update routes. The controller trusted the shape of the incoming object and propagated unknown keys directly into persistence and into in-memory merges.

Attack Vector

The attack vector is network based and does not require user interaction. An attacker sends a crafted JSON request to the agent endpoints, including unauthorized fields or polluting keys. The server then writes those fields to the agent record or merges them into shared objects.

javascript
// Security patch in api/server/controllers/agents/v1.js
// Source: https://github.com/danny-avila/librechat/commit/a37bf6719cfbc2de270f7d87b6b85d87cc1768db
+const { z } = require('zod');
 const fs = require('fs').promises;
 const { nanoid } = require('nanoid');
 const { logger } = require('@librechat/data-schemas');
+const { agentCreateSchema, agentUpdateSchema } = require('@librechat/api');
 const {
   Tools,
   Constants,
   FileSources,
   SystemRoles,
   EToolResources,
   actionDelimiter,
+  removeNullishValues,
 } = require('librechat-data-provider');

The patch introduces zod schemas (agentCreateSchema, agentUpdateSchema) and a removeNullishValues helper, enforcing a strict allowlist of accepted fields before data reaches the database layer.

Detection Methods for CVE-2025-7104

Indicators of Compromise

  • Agent documents in the database showing unexpected changes to author, access_level, isCollaborative, or projectIds fields
  • HTTP POST or PATCH requests to LibreChat agent endpoints containing keys such as __proto__, constructor, or prototype in the JSON body
  • Agents appearing in projects without a corresponding administrative action in audit logs
  • Sudden conversion of private agents to collaborative state

Detection Strategies

  • Inspect web server and application logs for requests to /api/agents endpoints containing fields outside the documented agent schema
  • Compare current agent records against a known-good baseline to identify unauthorized field modifications
  • Add request body schema validation at a reverse proxy or WAF to flag payloads containing prototype-related keys

Monitoring Recommendations

  • Enable verbose request logging on agent controller routes and forward to centralized log storage
  • Monitor for repeated 200 responses to agent update calls originating from low-privilege user sessions
  • Track database write events on the agents collection and alert on changes to ownership or access control fields

How to Mitigate CVE-2025-7104

Immediate Actions Required

  • Upgrade LibreChat to the version containing commit a37bf6719cfbc2de270f7d87b6b85d87cc1768db, which adds zod validation for agent creation and updates
  • Audit existing agents for unauthorized changes to author, access_level, isCollaborative, and projectIds fields
  • Restrict network exposure of LibreChat agent endpoints to authenticated, trusted users until the patch is applied

Patch Information

The upstream fix is available in the LibreChat repository in commit a37bf6719cfbc2de270f7d87b6b85d87cc1768db. The patch introduces agentCreateSchema and agentUpdateSchema to validate input and uses removeNullishValues to strip undesired keys before persistence. Additional context is available in the Huntr bug bounty disclosure.

Workarounds

  • Deploy a reverse proxy rule that rejects requests to agent endpoints containing keys like __proto__, constructor, or prototype
  • Implement a server-side allowlist filter for accepted agent fields if patching is not immediately feasible
  • Place LibreChat behind authentication and limit agent endpoint access to administrator roles temporarily
bash
# Example nginx rule to block prototype pollution payloads on agent endpoints
location /api/agents {
    if ($request_body ~* "(__proto__|\"constructor\"|\"prototype\")") {
        return 400;
    }
    proxy_pass http://librechat_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.