What is CVE-2025-69220?

CVE-2025-69220 is a high-severity vulnerability in Danny-avila Librechat, classified under Missing Authorization. CVSS score: 7.1/10. Published 2026-01-07.

How severe is CVE-2025-69220?

High severity. CVSS v3 base score is 7.1 out of 10.

Auth bypass in Danny-avila Librechat

CVE-2025-69220

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change th…

Vulnerability class: Broken Access Control

EPSS: 0.000 (15.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.1 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L.

Affected products

Danny-avila Librechat — versions >= 0.8.1-rc2, < 0.8.2-rc2

Weakness classification (CWE)

References

https://github.com/danny-avila/LibreChat/security/advisories/GHSA-xcmf-rpmh-hg59 (x_refsource_CONFIRM)
https://github.com/danny-avila/LibreChat/commit/4b9c6ab1cb9de626736de700c7981f38be08d237 (x_refsource_MISC)
https://cwe.mitre.org/data/definitions/284.html (x_refsource_MISC)
https://cwe.mitre.org/data/definitions/862.html (x_refsource_MISC)
https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2 (x_refsource_MISC)
https://owasp.org/Top10/A01_2021-Broken_Access_Control (x_refsource_MISC)
https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html (x_refsource_MISC)
https://raw.githubusercontent.com/OWASP/ASVS/v5.0.0/5.0/OWASP_Application_Security_Verification_Standard_5.0.0_en.pdf (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-69220?: CVE-2025-69220 is a high-severity vulnerability in Danny-avila Librechat, classified under Missing Authorization. CVSS score: 7.1/10. Published 2026-01-07.
How severe is CVE-2025-69220?: High severity. CVSS v3 base score is 7.1 out of 10.