Login Sign Up

CVE-2024-11173

6.5 MEDIUM
Denial of Service

📋 TL;DR

An unhandled exception vulnerability in LibreChat allows attackers to crash the server, causing denial of service. Attackers can exploit this by sending malformed input to specific API endpoints. While authentication is required, open registration enables unauthenticated attackers to create accounts and perform the attack.

💻 Affected Systems

Products:
  • LibreChat
Versions: All versions before 0.7.6, specifically including git commit 600d217
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Open registration must be enabled for unauthenticated exploitation. Systems with registration disabled still vulnerable to authenticated attacks.

📦 What is this software?

Librechat by Librechat

View all CVEs affecting Librechat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption making LibreChat unavailable to all users, potentially requiring manual server restart and causing extended downtime.

🟠

Likely Case

Service crashes requiring restart, causing temporary unavailability and potential data loss for active sessions.

🟢

If Mitigated

Server remains stable with proper input validation and exception handling in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires creating an account if open registration is enabled, then sending malformed requests to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.7.6

Vendor Advisory: https://github.com/danny-avila/librechat/commit/95a212534f1c5991bd1231a34ac3668b4b592cc3

Restart Required: Yes

Instructions:

1. Update LibreChat to version 0.7.6 or later. 2. Restart the LibreChat service. 3. Verify the fix by checking the version and testing API endpoints.

🔧 Temporary Workarounds

Disable Open Registration

all

Prevents unauthenticated attackers from creating accounts to exploit the vulnerability

Edit LibreChat configuration to disable open registration

Implement Input Validation

all

Add input validation at the web application firewall or reverse proxy level

Configure WAF rules to filter malformed API requests

🧯 If You Can't Patch

  • Disable open registration to prevent unauthenticated exploitation
  • Implement rate limiting on API endpoints to reduce attack surface

🔍 How to Verify

Check if Vulnerable:

Check if LibreChat version is below 0.7.6 by examining the version file or running the version check command

Check Version:

Check package.json or version file in LibreChat installation directory

Verify Fix Applied:

Confirm version is 0.7.6 or higher and test API endpoints with malformed input to ensure proper error handling

📡 Detection & Monitoring

Log Indicators:

  • Unhandled exception errors in server logs
  • Server crash/restart events
  • Multiple failed API requests with malformed input

Network Indicators:

  • Unusual patterns of API requests to vulnerable endpoints
  • Sudden drop in service availability

SIEM Query:

source="librechat.log" AND ("unhandled exception" OR "crash" OR "500 error")

📊 Metadata

CVE ID: CVE-2024-11173
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-248
EPSS Score: 0.23% exploit probability (45.2th percentile)
Published: March 20, 2025
Last Updated: July 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11173, you might also want to check these:

CVE-2024-42037 9.3

This vulnerability involves uncaught exceptions in the Graphics module that could allow attackers to...

Same vulnerability type (CWE-248)
CVE-2025-67647 9.1

SvelteKit versions 2.19.0 through 2.49.4 are vulnerable to server-side request forgery (SSRF) and de...

Same vulnerability type (CWE-248)
CVE-2023-20086 8.6

An unauthenticated remote attacker can send crafted ICMPv6 messages to Cisco ASA or FTD devices with...

Same vulnerability type (CWE-248)