What is CVE-2025-41258?

CVE-2025-41258 is a high-severity vulnerability in Danny-avila Librechat, classified under Improper Access Control. CVSS score: 8.0/10. Published 2026-03-18.

How severe is CVE-2025-41258?

High severity. CVSS v3 base score is 8.0 out of 10.

Vulnerability in Danny-avila Librechat

CVE-2025-41258

LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API.

EPSS: 0.001 (23.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.0 (High). Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Danny-avila Librechat — versions 0.8.1-rc2

Weakness classification (CWE)

CWE-284 — Improper Access Control

References

github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251205-01_LibreCha… (third-party-advisory)
github.com/danny-avila/LibreChat (product)

Frequently asked questions

What is CVE-2025-41258?: CVE-2025-41258 is a high-severity vulnerability in Danny-avila Librechat, classified under Improper Access Control. CVSS score: 8.0/10. Published 2026-03-18.
How severe is CVE-2025-41258?: High severity. CVSS v3 base score is 8.0 out of 10.