Denial of Service Vulnerability in LibreChat by Danny Avila
CVE-2025-7105

5.7MEDIUM

Key Information:

Vendor: Danny-avila
Status: Danny-avila/librechat
Vendor: CVE Published:; 2 February 2026

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2025-7105?

A vulnerability in LibreChat enables attackers to abuse the unrestricted Fork Function located in /api/convos/fork. By forking multiple contents rapidly, particularly those including large Mermaid graphs, the service may experience a JavaScript heap out of memory error when restarted, leading to a denial of service. This affects the latest version of LibreChat, making it crucial for users to address this issue to maintain service availability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

danny-avila/librechat < unspecified

References

https://huntr.com/bounties/e44f0740-48bd-443b-8826-528e6a...

https://github.com/danny-avila/librechat/commit/97a99985f...

CVSS V3.0

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 2, 2026
Vulnerability Reserved
Jul 5, 2025

JSON

Danny-avila

What is CVE-2025-7105?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.0

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.