CVE-2026-31949

MEDIUM

LibreChat <0.8.3-rc1 - DoS

Title source: llm

Description

LibreChat is a ChatGPT clone with additional features. Prior to 0.8.3-rc1, a Denial of Service (DoS) vulnerability exists in the DELETE /api/convos endpoint that allows an authenticated attacker to crash the Node.js server process by sending malformed requests. The DELETE /api/convos route handler attempts to destructure req.body.arg without validating that it exists. The server crashes due to an unhandled TypeError that bypasses Express error handling middleware and triggers process.exit(1). This vulnerability is fixed in 0.8.3-rc1.

References (1)

[Vendor Advisory] https://github.com/danny-avila/LibreChat/security/advisories/GHSA-5m32-chq6-232p

Scores

CVSS v3 6.5

EPSS 0.0006

EPSS Percentile 17.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-248

Status published

Products (2)

danny-avila/LibreChat < 0.8.3-rc1

librechat/librechat < 0.8.3

Published Mar 13, 2026

Tracked Since Mar 14, 2026