CVE-2026-31949 in LibreChat
Summary
by MITRE • 03/13/2026
LibreChat is a ChatGPT clone with additional features. Prior to 0.8.3-rc1, a Denial of Service (DoS) vulnerability exists in the DELETE /api/convos endpoint that allows an authenticated attacker to crash the Node.js server process by sending malformed requests. The DELETE /api/convos route handler attempts to destructure req.body.arg without validating that it exists. The server crashes due to an unhandled TypeError that bypasses Express error handling middleware and triggers process.exit(1). This vulnerability is fixed in 0.8.3-rc1.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability CVE-2026-31949 affects LibreChat version 0.8.3-rc1 and earlier, representing a critical denial of service flaw in the application's RESTful API endpoint. This issue specifically targets the DELETE /api/convos endpoint which serves to remove conversation records from the system. The vulnerability stems from inadequate input validation within the route handler implementation, creating a scenario where authenticated attackers can exploit the system's failure to properly handle malformed request data. The flaw allows malicious actors to crash the underlying Node.js server process through carefully crafted requests that bypass normal error handling mechanisms.
The technical root cause of this vulnerability lies in the improper handling of destructuring operations within the application's codebase. When the DELETE /api/convos endpoint processes incoming requests, it attempts to destructure req.body.arg without first verifying the existence or validity of this property. This pattern violates fundamental security principles and creates an unhandled TypeError exception that propagates through the application's execution flow. The vulnerability manifests as a Type Error during runtime when the destructuring operation fails to find the expected argument structure, causing the Node.js process to terminate abruptly.
The operational impact of this vulnerability extends beyond simple service disruption, as it enables authenticated attackers to cause complete system crashes that can result in extended downtime and potential data loss. The crash occurs through an unhandled TypeError exception that bypasses Express.js error handling middleware, which is a critical failure in the application's error management architecture. This bypass mechanism allows the error to propagate directly to the Node.js runtime environment where it triggers process.exit(1), effectively terminating the server process and rendering the application unavailable to legitimate users. The vulnerability's authentication requirement limits its scope but does not eliminate the severity of its impact on system availability.
Security practitioners should note that this vulnerability aligns with CWE-470, which addresses the use of insecure deserialization patterns and improper input validation. The flaw also demonstrates characteristics of ATT&CK technique T1499.004, which involves network denial of service attacks through process termination. The vulnerability's exploitation requires authentication, making it less severe than unauthenticated attacks but still presenting a significant risk to system availability and operational continuity. Organizations should prioritize immediate patching to version 0.8.3-rc1 or later, as this update resolves the underlying destructuring validation issue and restores proper error handling mechanisms.
The fix implemented in version 0.8.3-rc1 addresses the core issue by adding proper validation checks before attempting to destructure the request body arguments. This remediation ensures that the application gracefully handles malformed requests rather than allowing unhandled exceptions to crash the process. The updated implementation likely includes conditional checks or default value assignments that prevent the TypeError from occurring in the first place. System administrators should also consider implementing additional monitoring and logging around the affected endpoint to detect potential exploitation attempts and maintain visibility into the application's operational health.