Path Traversal Vulnerability in LibreChat by Danny Avila
CVE-2024-11170

8.8HIGH

Key Information:

Vendor: Danny-avila
Status: Danny-avila/librechat
Vendor: CVE Published:; 20 March 2025

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2024-11170?

A path traversal vulnerability has been identified in LibreChat, a project by Danny Avila. This issue arises due to inappropriate sanitization of file paths handled by the multer middleware. Attackers can exploit this flaw to manipulate file paths, allowing for arbitrary file writes on the server. This can ultimately lead to potential remote code execution, posing significant security risks. The vulnerability has been addressed in version 0.7.6.

Affected Version(s)

danny-avila/librechat < 0.7.6

References

https://huntr.com/bounties/b64156c2-5380-4d4d-af30-b2938d...

https://github.com/danny-avila/librechat/commit/629be5c0c...

CVSS V3.0

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Nov 12, 2024