CVE-2024-10361

CRITICAL

librechat v0.7.5-rc2 - Arbitrary File Deletion via Path Traversal in /api/files Endpoint

Title source: llm

Description

An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /api/files endpoint. This vulnerability arises from improper input validation, allowing path traversal techniques to delete arbitrary files on the server. Attackers can exploit this to bypass security mechanisms and delete files outside the intended directory, including critical system files, user data, or application resources. This vulnerability impacts the integrity and availability of the system.

References (2)

Core 2

Core References

Patch

https://github.com/danny-avila/librechat/commit/0b744db1e2af31a531ffb761584d85540430639c

View Patch ZIP pw:eip

Exploit, Third Party Advisory

https://huntr.com/bounties/e811f7f7-9556-4564-82e2-5b3d17599b2d

Scores

CVSS v3 9.1

EPSS 0.0085

EPSS Percentile 53.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (1)

librechat/librechat 0.7.5 rc2

Published Mar 20, 2025

Tracked Since Feb 18, 2026