CVE-2024-11173

MEDIUM

librechat < 0.7.6 - Denial of Service via Malformed API Input

Title source: llm

Description

An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, leading to a full denial of service. This issue occurs when certain API endpoints receive malformed input, resulting in an uncaught exception. Although a valid JWT is required to exploit this vulnerability, LibreChat allows open registration, enabling unauthenticated attackers to create an account and perform the attack. The issue is fixed in version 0.7.6.

References (2)

Core 2

Core References

Patch

https://github.com/danny-avila/librechat/commit/95a212534f1c5991bd1231a34ac3668b4b592cc3

View Patch ZIP pw:eip

Exploit, Third Party Advisory

https://huntr.com/bounties/4cebf926-c17f-4836-868b-e1de86221cec

Scores

CVSS v3 6.5

EPSS 0.0074

EPSS Percentile 49.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-248

Status published

Products (1)

librechat/librechat < 0.7.6

Published Mar 20, 2025

Tracked Since Feb 18, 2026