CVE-2024-11169 – An unhandled exception in the fs module of dann... (How to Fix)

Q: What is the severity of CVE-2024-11169?

CVE-2024-11169 has a CVSS score of 7.5 (HIGH). An unhandled exception in the fs module of danny-avila/librechat allows unauthenticated attackers to crash the server by sending specially crafted file upload requests. This vulnerability affects all deployments running vulnerable versions of LibreChat. The server crash results in denial of service, disrupting chat functionality.

📋 TL;DR

An unhandled exception in the fs module of danny-avila/librechat allows unauthenticated attackers to crash the server by sending specially crafted file upload requests. This vulnerability affects all deployments running vulnerable versions of LibreChat. The server crash results in denial of service, disrupting chat functionality.

💻 Affected Systems

Products:

danny-avila/librechat

Versions: Versions before 0.7.6

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with file upload functionality enabled are vulnerable. The vulnerability exists in the specific commit 3c94ff2 and earlier versions.

📦 What is this software?

Librechat by Librechat

View all CVEs affecting Librechat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage through repeated exploitation, causing extended downtime and potential data loss for in-progress conversations.

🟠

Likely Case

Temporary service disruption requiring manual server restart, with potential loss of unsaved chat sessions.

🟢

If Mitigated

Minimal impact with proper monitoring and automated recovery systems in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted requests to trigger the fs module exception. No authentication is required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.7.6

Vendor Advisory: https://github.com/danny-avila/librechat/commit/629be5c0ca2b332178524b4e3f6fac715aea8cc4

Restart Required: Yes

Instructions:

1. Update LibreChat to version 0.7.6 or later. 2. Run 'npm install' to update dependencies. 3. Restart the LibreChat service.

🔧 Temporary Workarounds

Disable file uploads

all

Temporarily disable file upload functionality to prevent exploitation

Modify LibreChat configuration to disable file upload endpoints

Implement request filtering

all

Use WAF or reverse proxy to filter malicious file upload requests

Configure WAF rules to block suspicious file upload patterns

🧯 If You Can't Patch

Implement rate limiting on file upload endpoints
Deploy behind a reverse proxy with request validation

🔍 How to Verify

Check if Vulnerable:

Check if LibreChat version is below 0.7.6 by examining package.json or running version check command

Check Version:

npm list librechat | grep librechat

Verify Fix Applied:

Confirm version is 0.7.6 or higher and test file upload functionality

📡 Detection & Monitoring

Log Indicators:

Server crash logs
Unhandled exception errors from fs module
Repeated failed file upload attempts

Network Indicators:

Spike in file upload requests from single IP
Malformed file upload payloads

SIEM Query:

source="librechat.log" AND ("unhandled exception" OR "fs module error" OR "server crash")

📊 Metadata

CVE ID: CVE-2024-11169

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-115

EPSS Score: 0.79% exploit probability (73.5th percentile)

Published: March 20, 2025

Last Updated: July 15, 2025

🔗 References

https://github.com/danny-avila/librechat/commit/629be5c0ca2b332178524b4e3f6fac715aea8cc4 Patch
https://huntr.com/bounties/754e1649-5612-4ba9-a533-06b46de5c4b5 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11169, you might also want to check these: