ByteOS Network

NVD Vulnerability Details :

CVE-2024-10366

Modified

Source-security@huntr.dev

Published At-20 Mar, 2025 | 10:15

Updated At-15 Jul, 2025 | 11:15

An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat version v0.7.5-rc2. The endpoint does not verify whether the provided attachment ID belongs to the current user, allowing any authenticated user to delete attachments of other users.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Secondary	3.0	7.6	HIGH	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Type: Primary

Version: 3.1

Base score: 6.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Type: Secondary

Version: 3.0

Base score: 7.6

Base severity: HIGH

Vector:

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

CPE Matches

librechat>>librechat>>0.7.5

cpe:2.3:a:librechat:librechat:0.7.5:rc2:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-639	Primary	security@huntr.dev
CWE-639	Secondary	nvd@nist.gov

CWE ID: CWE-639

Type: Primary

Source: security@huntr.dev

CWE ID: CWE-639

Type: Secondary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
https://github.com/danny-avila/librechat/commit/a350443661d001ac55787741969a75d94ca14116	security@huntr.dev	Patch
https://huntr.com/bounties/cde47cf8-dc81-46ab-b472-f7e44a981a7e	security@huntr.dev	Exploit Third Party Advisory

Hyperlink: https://github.com/danny-avila/librechat/commit/a350443661d001ac55787741969a75d94ca14116

Source: security@huntr.dev

Resource:

Patch

Hyperlink: https://huntr.com/bounties/cde47cf8-dc81-46ab-b472-f7e44a981a7e

Source: security@huntr.dev

Resource:

Exploit

Third Party Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History