Plataforma
nodejs
Componente
librechat
Corrigido em
0.7.6
CVE-2024-10361 describes a Path Traversal vulnerability discovered in LibreChat, a NodeJS application. This flaw allows attackers to delete arbitrary files on the server, potentially leading to significant data loss and system compromise. The vulnerability affects versions of LibreChat up to and including 0.7.5, and a patch is available in version 0.7.5.
The primary impact of CVE-2024-10361 is the ability for an attacker to delete files on the server hosting LibreChat. This is achieved through improper input validation within the /api/files endpoint, allowing path traversal techniques. An attacker could delete critical system files, user data, or application resources, leading to a denial of service or even complete system failure. The potential for data exfiltration is also present if sensitive information is stored in files that can be deleted to disrupt operations. This vulnerability shares similarities with other path traversal exploits where attackers leverage insufficient input sanitization to gain unauthorized access and control.
CVE-2024-10361 was published on 2025-03-20. As of this date, no public proof-of-concept exploits have been released, but the vulnerability's ease of exploitation suggests a potential for rapid exploitation. The EPSS score is currently pending evaluation, but the HIGH CVSS score and the potential for arbitrary file deletion indicate a medium to high probability of exploitation. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns.
Organizations deploying LibreChat, particularly those using older versions (≤0.7.5), are at risk. Shared hosting environments where multiple users share the same server are especially vulnerable, as an attacker could potentially compromise other users' data through file deletion. Systems with inadequate file permission configurations are also at increased risk.
• nodejs / server:
ps aux | grep librechat• nodejs / server:
find / -name "librechat" -type d 2>/dev/null | xargs -I {} sh -c "ls -la {}/api/files""• generic web:
Use curl or wget to test the /api/files endpoint with various path traversal payloads (e.g., ../../../../etc/passwd) to see if arbitrary files can be accessed or deleted. Examine access and error logs for suspicious requests.
disclosure
Status do Exploit
EPSS
0.37% (percentil 59%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-10361 is to upgrade LibreChat to version 0.7.5 or later, which contains the fix. If an immediate upgrade is not possible, consider implementing temporary workarounds. These may include restricting access to the /api/files endpoint using a Web Application Firewall (WAF) or proxy server to block suspicious requests. Input validation on the server-side should be strengthened to prevent path traversal attempts. Regularly review file permissions to ensure that the LibreChat process only has access to the necessary files.
Actualice LibreChat a la versión 0.7.5 o superior. Esta versión contiene una corrección para la vulnerabilidad de path traversal que permite la eliminación arbitraria de archivos. La actualización evitará que atacantes exploten esta vulnerabilidad para comprometer la integridad y disponibilidad del sistema.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-10361 is a HIGH severity vulnerability in LibreChat versions up to 0.7.5 allowing attackers to delete arbitrary files due to improper input validation in the /api/files endpoint.
You are affected if you are running LibreChat version 0.7.5 or earlier. Upgrade to version 0.7.5 to mitigate the risk.
Upgrade LibreChat to version 0.7.5 or later. As a temporary workaround, restrict access to the /api/files endpoint using a WAF or proxy.
As of 2025-03-20, no public exploits are known, but the vulnerability's ease of exploitation suggests a potential for exploitation.
Refer to the official LibreChat project repository and security advisories for updates and further information regarding CVE-2024-10361.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.