Denial of Service Vulnerability in LibreChat by Danny Avila
CVE-2025-8849

5.4MEDIUM

Key Information:

Vendor: Danny-avila
Status: Danny-avila/librechat
Vendor: CVE Published:; 30 October 2025

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2025-8849?

LibreChat version 0.7.9 is susceptible to a Denial of Service attack stemming from unbounded parameter values in the /api/memories endpoint. The key and value parameters are not properly validated, allowing attackers to submit excessively large inputs. This flaw can induce a null pointer error in the Rust-based backend, disrupting the ability to create new memories and causing service instability.

Affected Version(s)

danny-avila/librechat < unspecified

References

https://huntr.com/bounties/e9d9404c-cd19-4226-a580-9cba14...

https://github.com/danny-avila/librechat/commit/edf33bedc...

CVSS V3.0

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 30, 2025
Vulnerability Reserved
Aug 10, 2025

CVE-2025-8849 Data

JSON