CVE-2024-10359
Published: 20 March 2025
Summary
CVE-2024-10359 is a medium-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability in Librechat Librechat. Its CVSS base score is 4.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 41.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7099
Vulnerability details
In danny-avila/librechat version v0.7.5-rc2, a vulnerability exists in the preset creation functionality where a user can manipulate the user ID field through mass assignment. This allows an attacker to inject a different user ID into the preset object, causing the…
more
preset to appear in the UI of another user. The vulnerability arises because the backend saves the entire object received without validating the attributes and their values, impacting both integrity and confidentiality.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: librechat
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The mass assignment vulnerability allows manipulation of the user ID field in presets, enabling unauthorized stored data manipulation (T1565.001) and content injection into other users' UIs (T1659), impacting integrity and confidentiality.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.