CVE-2026-31949
Last modified
CVE-2026-31949 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. LibreChat is a ChatGPT clone with additional features. Prior to 0.8.3-rc1, a Denial of Service (DoS) vulnerability exists in the DELETE /api/convos endpoint that allows an authenticated attacker to crash the Node.js server process by sending malformed requests. EPSS estimates a 0.38% chance of exploitation in the next 30 days.
Description
LibreChat is a ChatGPT clone with additional features. Prior to 0.8.3-rc1, a Denial of Service (DoS) vulnerability exists in the DELETE /api/convos endpoint that allows an authenticated attacker to crash the Node.js server process by sending malformed requests. The DELETE /api/convos route handler attempts to destructure req.body.arg without validating that it exists. The server crashes due to an unhandled TypeError that bypasses Express error handling middleware and triggers process.exit(1). This vulnerability is fixed in 0.8.3-rc1.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Librechat | Librechat | < 0.8.3 |
References
- https://github.com/danny-avila/LibreChat/security/advisories/GHSA-5m32-chq6-232pExploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-31949?
How severe is CVE-2026-31949?
How do I fix CVE-2026-31949?
Are you affected by CVE-2026-31949?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST