CVE-2024-10361

Critical CVSS: 9.1

An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /api/files endpoint. This vulnerability arises from improper input validation, allowing path traversal techniques to delete arbitrary files on the server. Attackers can exploit this to bypass security mechanisms and delete files outside the intended directory, including critical system files, user data, or application resources. This vulnerability impacts the integrity and availability of the system.

Vendor

Librechat

Product

Librechat

CWE

CWE-22

Yayın Tarihi

2025-03-20 10:15:16

Güncelleme

2025-10-15 13:15:35

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-22 Librechat CRITICAL Librechat 2025

Referanslar

https://github.com/danny-avila/librechat/commit/0b744db1e2af31a531ffb761584d85540430639c https://huntr.com/bounties/e811f7f7-9556-4564-82e2-5b3d17599b2d

Benzer Kayıtlar

High

CVE-2026-31945

LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side…

Medium

CVE-2026-31950

LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc2 through 0.8.2-rc3, the SSE streaming endpoi…

Medium

CVE-2026-31951

LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model…

High

CVE-2026-31943

LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, `isPrivateIP()` in `packages/api/src/auth…

Medium

CVE-2026-33265

In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API.

High

CVE-2025-41258

LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the se…