CVE-2026-54024 in LibreChat
Summary
by MITRE • 06/25/2026
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2024-11171 (commit bb58a2d0) added limits: { fileSize } to createMulterInstance() in the file upload routes. However, the POST /api/convos/import endpoint uses a separate multer instance that was never updated with the same limits configuration. Combined with the application-level size check being disabled by default (the CONVERSATION_IMPORT_MAX_FILE_SIZE_BYTES env var is commented out in .env.example), an authenticated user can upload arbitrarily large files to exhaust server disk space and memory. This vulnerability is fixed in 0.8.4-rc1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability described in CVE-2024-11171 represents a critical security flaw in LibreChat versions prior to 0.8.4-rc1 that stems from inconsistent file upload handling across different application endpoints. This issue demonstrates poor security implementation where fixes applied to some upload routes were not consistently applied to all related functionality, creating an exploitable gap in the system's defenses.
The technical flaw manifests through a configuration inconsistency in the file upload subsystem where the POST /api/convos/import endpoint utilizes a separate multer instance that was never updated with the same size limitations applied elsewhere in the application. This discrepancy occurs because while other file upload routes received proper { fileSize } restrictions via the createMulterInstance() function, the import endpoint maintained its original configuration without these protective measures. The vulnerability is compounded by default application settings where the CONVERSATION_IMPORT_MAX_FILE_SIZE_BYTES environment variable is commented out in the .env.example file, effectively disabling the application-level size validation that could have prevented excessive file uploads.
The operational impact of this vulnerability is severe and directly threatens system availability and resource integrity. An authenticated user can exploit this weakness to upload arbitrarily large files that consume server disk space and memory resources without restriction. This creates a potential denial-of-service scenario where legitimate system operations become impaired due to resource exhaustion, potentially leading to complete system unavailability. The vulnerability specifically targets the application's storage capacity and memory management rather than direct code execution or privilege escalation, making it particularly dangerous in environments where server resources are constrained.
The exploitation of this vulnerability aligns with attack patterns documented in the ATT&CK framework under the T1499 category for network denial of service attacks. This represents a resource exhaustion attack that can be executed by authenticated users without requiring elevated privileges or complex exploit chains. The vulnerability is classified as CWE-400, representing an unchecked resource allocation where the application fails to properly validate file sizes before processing uploads. The inconsistent security controls across different endpoints demonstrate a failure in implementing comprehensive input validation and access control measures, which are fundamental requirements for maintaining system integrity according to industry security standards.
Mitigation strategies should focus on ensuring consistent security configurations across all file upload endpoints within the application. The fix implemented in version 0.8.4-rc1 addresses this by applying the same size limitations to the import endpoint that were previously applied to other upload routes. Organizations should also implement proper environment variable management where default security settings are enabled rather than commented out, and conduct regular code reviews to ensure consistency in security controls across all application components. Additionally, implementing monitoring for unusual file upload patterns and establishing automated alerts for resource consumption thresholds can help detect exploitation attempts before they cause significant damage to system availability.