CVE Catalog

CVE-2026-54024

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

14th percentile — higher than 14% of all known CVEs

Summary

A vulnerability in LibreChat before version 0.8.4-rc1 allows an authenticated user to upload arbitrarily large files via the conversation import endpoint, potentially exhausting server disk space and memory. The issue stems from missing file size limits in a separate multer instance for this endpoint and a disabled application-level size check by default.

Risk Assessment

The organization is at risk of a Denial of Service (DoS) attack through intentional disk space exhaustion and memory overload, which could render the service unavailable for all users.

Recommendation

Immediately update LibreChat to version 0.8.4-rc1 or later. Additionally, enable and configure the CONVERSATION_IMPORT_MAX_FILE_SIZE_BYTES environment variable in the .env file.

Original NVD description (English source)

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2024-11171 (commit bb58a2d0) added limits: { fileSize } to createMulterInstance() in the file upload routes. However, the POST /api/convos/import endpoint uses a separate multer instance that was never updated with the same limits configuration. Combined with the application-level size check being disabled by default (the CONVERSATION_IMPORT_MAX_FILE_SIZE_BYTES env var is commented out in .env.example), an authenticated user can upload arbitrarily large files to exhaust server disk space and memory. This vulnerability is fixed in 0.8.4-rc1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS