Plattform
nodejs
Komponente
librechat
Behoben in
0.7.6
CVE-2024-10361 describes a Path Traversal vulnerability discovered in LibreChat, a NodeJS application. This flaw allows attackers to delete arbitrary files on the server, potentially leading to significant data loss and system compromise. The vulnerability affects versions of LibreChat up to and including 0.7.5, and a patch is available in version 0.7.5.
The primary impact of CVE-2024-10361 is the ability for an attacker to delete arbitrary files on the server hosting LibreChat. This is achieved through improper input validation within the /api/files endpoint, enabling path traversal techniques. Successful exploitation could lead to the deletion of sensitive user data, critical configuration files, or even core system files, resulting in a denial of service or complete compromise of the system. The potential blast radius extends to any data stored on the server accessible through the vulnerable endpoint. This vulnerability shares similarities with other path traversal issues where attackers leverage predictable file system structures to gain unauthorized access and control.
CVE-2024-10361 was published on 2025-03-20. Public proof-of-concept exploits are currently unknown, but the vulnerability's nature makes it likely that such exploits will emerge. The EPSS score is pending evaluation. It is recommended to prioritize patching due to the potential for significant impact.
Organizations deploying LibreChat, particularly those using older versions (≤0.7.5), are at risk. Shared hosting environments where multiple users share the same server are especially vulnerable, as an attacker could potentially compromise other users' data through file deletion. Systems with inadequate file permission configurations are also at increased risk.
• nodejs / server:
ps aux | grep librechat• nodejs / server:
find / -name "librechat" -type d 2>/dev/null | xargs -I {} sh -c "ls -la {}/api/files""• generic web:
Use curl or wget to test the /api/files endpoint with various path traversal payloads (e.g., ../../../../etc/passwd) to see if arbitrary files can be accessed or deleted. Examine access and error logs for suspicious requests.
disclosure
Exploit-Status
EPSS
0.37% (59% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-10361 is to upgrade LibreChat to version 0.7.5 or later, which includes the necessary input validation fixes. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting file system access permissions for the LibreChat user account to only the intended directories. Web Application Firewalls (WAFs) configured with rules to detect and block path traversal attempts targeting the /api/files endpoint can provide an additional layer of defense. Monitor system logs for suspicious file deletion activity, particularly targeting sensitive locations.
Actualice LibreChat a la versión 0.7.5 o superior. Esta versión contiene una corrección para la vulnerabilidad de path traversal que permite la eliminación arbitraria de archivos. La actualización evitará que atacantes exploten esta vulnerabilidad para comprometer la integridad y disponibilidad del sistema.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-10361 is a HIGH severity vulnerability in LibreChat versions up to 0.7.5 allowing attackers to delete arbitrary files due to improper input validation in the /api/files endpoint.
You are affected if you are running LibreChat version 0.7.5 or earlier. Upgrade to version 0.7.5 to mitigate the risk.
Upgrade LibreChat to version 0.7.5 or later. As a temporary workaround, restrict access to the /api/files endpoint using a WAF or proxy.
As of 2025-03-20, no public exploits are known, but the vulnerability's ease of exploitation suggests a potential for exploitation.
Refer to the official LibreChat project repository and security advisories for updates and further information regarding CVE-2024-10361.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.