LibreChat 2FA Bypass Vulnerability in danny-avila/librechat

A vulnerability in the 2-Factor Authentication (2FA) process of LibreChat version 0.7.9 allows users to disable 2FA without providing a valid OTP or backup code. This issue arises from inadequate validation in the backend API endpoint '/api/auth/2fa/disable', enabling authenticated users to weaken their account security without proper verification. While this flaw does not lead to a complete account compromise, it undermines the overall security of the user's account.

Impact

Exploiting this vulnerability allows authenticated users to disable 2FA on their accounts, reducing their account security. However, it does not result in a full account compromise.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/api/auth/2fa/disable' endpoint without including a valid OTP or backup code. The request must include an authorization bearer token. This can be done using tools like Postman or through a custom script that automates the process.

Remediation

Users are advised to update to LibreChat version 0.8.0 or later, where this vulnerability has been fixed.