CVE-2024-10361 Overview
CVE-2024-10361 is an arbitrary file deletion vulnerability in danny-avila/librechat version 0.7.5-rc2. The flaw resides in the /api/files endpoint, which fails to properly validate user-supplied input. Attackers can submit path traversal sequences to delete files outside the intended upload directory. Successful exploitation allows unauthenticated deletion of critical system files, user data, and application resources. The vulnerability is categorized under [CWE-22] Improper Limitation of a Pathname to a Restricted Directory.
Critical Impact
Unauthenticated remote attackers can delete arbitrary files on the server, breaking application integrity and availability.
Affected Products
- LibreChat 0.7.5-rc2
- Self-hosted LibreChat deployments exposing /api/files
- Container and Docker-based LibreChat instances running the affected release
Discovery Timeline
- 2025-03-20 - CVE-2024-10361 published to NVD
- 2025-10-15 - Last updated in NVD database
Technical Details for CVE-2024-10361
Vulnerability Analysis
The vulnerability exists in LibreChat's file management API. The /api/files endpoint accepts a file identifier or path from the request and passes it to a deletion routine without sanitization. Attackers can embed ../ sequences in the supplied value to escape the upload directory. The server resolves the traversal and deletes the targeted file with the privileges of the LibreChat process.
The issue affects integrity and availability. An attacker can remove configuration files, database artifacts, user uploads, or system binaries reachable by the application user. Repeated abuse can render the application or host unusable. Because the endpoint is network-reachable and requires no authentication context for exploitation, the attack surface extends to any exposed LibreChat deployment.
Root Cause
The root cause is missing input validation on file path parameters consumed by the deletion handler. The code does not canonicalize the supplied path, does not enforce a base directory allowlist, and does not reject traversal characters. This pattern aligns with [CWE-22] path traversal.
Attack Vector
Exploitation occurs over the network against the /api/files route. An attacker crafts an HTTP request supplying a path containing .. segments to reference files outside the upload root. The server resolves the path and unlinks the targeted file.
// Patch excerpt from api/server/controllers/agents/v1.js
// Source: https://github.com/danny-avila/librechat/commit/0b744db1e2af31a531ffb761584d85540430639c
return res.status(400).json({ message: 'Agent ID is required' });
}
- let { avatar: _avatar = '{}' } = req.body;
-
const image = await uploadImageBuffer({
req,
context: FileContext.avatar,
The patch removes untrusted avatar metadata handling that fed into file operations, eliminating the path-derivation primitive abused by attackers. See the GitHub commit for the complete fix and the Huntr bug bounty report for disclosure details.
Detection Methods for CVE-2024-10361
Indicators of Compromise
- HTTP requests to /api/files containing path traversal sequences such as ../, ..%2f, or URL-encoded variants
- Unexpected unlink or file deletion events on the LibreChat host targeting paths outside the configured upload directory
- Missing configuration files, environment files, or user uploads with no corresponding administrative action
- Application errors or crashes referencing missing files in LibreChat or supporting services
Detection Strategies
- Inspect web server and reverse proxy logs for DELETE or related requests to /api/files containing traversal patterns
- Enable filesystem auditing (auditd on Linux) on directories adjacent to the LibreChat upload root and alert on deletions by the LibreChat service account
- Correlate API access logs with filesystem change events to identify files removed in response to suspicious requests
Monitoring Recommendations
- Forward LibreChat application logs and web access logs to a centralized analytics platform for path traversal pattern matching
- Baseline normal file deletion volume on the application host and alert on deviations
- Track failed and successful authentication attempts against the LibreChat API to identify reconnaissance preceding exploitation
How to Mitigate CVE-2024-10361
Immediate Actions Required
- Upgrade LibreChat to a release containing commit 0b744db1e2af31a531ffb761584d85540430639c or later
- Restrict network exposure of the /api/files endpoint to authenticated internal users where possible
- Run the LibreChat process under a least-privilege account that cannot delete system or sibling-application files
- Audit the host for evidence of unauthorized file deletions and restore from backups where required
Patch Information
The maintainers addressed the issue in the upstream repository. The fix is included in the commit referenced by the vendor advisory. Operators must update to a build that incorporates this commit. No vendor-supplied workaround exists for the unpatched version.
Workarounds
- Place LibreChat behind a web application firewall and block requests to /api/files containing .., %2e%2e, or other traversal encodings
- Mount the LibreChat upload directory on a dedicated filesystem with no symbolic links to sensitive locations
- Apply mandatory access controls (AppArmor or SELinux) that restrict the LibreChat process to its working directories
# Example nginx rule to block traversal sequences targeting the files API
location /api/files {
if ($request_uri ~* "(\.\.|%2e%2e)") {
return 400;
}
proxy_pass http://librechat_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
