CVE-2026-54037
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
A vulnerability in LibreChat prior to 0.8.4-rc1 allows an authenticated user to bypass rate limiters added for the /fork endpoint by using the /duplicate endpoint, which performs the same expensive database operations but lacks any rate limiter. This can lead to server resource exhaustion.
Risk Assessment
The risk is a potential DoS attack by an authenticated user who can repeatedly call the /duplicate endpoint, causing database overload and slowing or denying service to other users.
Recommendation
Immediately upgrade LibreChat to version 0.8.4-rc1 or later, which includes a fix adding rate limiters to the /duplicate endpoint as well.
Original NVD description (English source)
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2025-7105 added forkIpLimiter and forkUserLimiter rate limiters to POST /api/convos/fork to prevent rapid-fire conversation duplication. However, the POST /api/convos/duplicate endpoint — which is in the same file and performs the exact same expensive database operations — was not given any rate limiter. An authenticated user can bypass the CVE-2025-7105 fix by using /duplicate instead of /fork to exhaust server resources. This vulnerability is fixed in 0.8.4-rc1.

