CVE-2024-11173

MEDIUM

Librechat < 0.7.6 - Denial of Service

Title source: rule

Description

An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, leading to a full denial of service. This issue occurs when certain API endpoints receive malformed input, resulting in an uncaught exception. Although a valid JWT is required to exploit this vulnerability, LibreChat allows open registration, enabling unauthenticated attackers to create an account and perform the attack. The issue is fixed in version 0.7.6.

References (2)

[Patch] https://github.com/danny-avila/librechat/commit/95a212534f1c5991bd1231a34ac3668b4b592cc3

View Patch ZIP pw:eip

[Exploit, Third Party Advisory] https://huntr.com/bounties/4cebf926-c17f-4836-868b-e1de86221cec

Scores

CVSS v3 6.5

EPSS 0.0129

EPSS Percentile 79.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-248

Status published

Products (1)

librechat/librechat < 0.7.6

Published Mar 20, 2025

Tracked Since Feb 18, 2026