Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-11172

CVE-2024-11172: LibreChat Denial of Service Vulnerability

CVE-2024-11172 is a denial of service vulnerability in LibreChat that allows unauthenticated attackers to crash the server with a crafted payload. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2024-11172 Overview

CVE-2024-11172 is a denial of service vulnerability in danny-avila/librechat, an open-source AI chat platform. The flaw exists in the checkBan middleware, which lacks a surrounding try-catch block. An unauthenticated remote attacker can send a crafted payload that triggers an unhandled exception, crashing the server process. The issue affects LibreChat commit a1647d7 and earlier versions, and is fixed in version 0.7.6. The vulnerability is classified under [CWE-248: Uncaught Exception] and requires no authentication or user interaction to exploit.

Critical Impact

Unauthenticated attackers can crash LibreChat servers remotely with a single crafted HTTP request, resulting in service outage for all users.

Affected Products

  • LibreChat (danny-avila/librechat) versions prior to 0.7.6
  • LibreChat git commit a1647d7
  • Self-hosted LibreChat deployments exposing the affected middleware

Discovery Timeline

  • 2025-03-20 - CVE-2024-11172 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-11172

Vulnerability Analysis

The vulnerability resides in the checkBan middleware located at api/server/middleware/checkBan.js. This middleware intercepts incoming HTTP requests and validates whether the requester is on the ban list. When the middleware processes a malformed or crafted payload, it raises an exception that propagates up the call stack. Because no try-catch construct wraps the middleware logic, Node.js treats the exception as unhandled and terminates the entire server process. This turns a routine request-handling error into a full application crash affecting every connected user.

Root Cause

The root cause is missing exception handling in an Express middleware component. Node.js applications must catch exceptions inside asynchronous middleware or forward them to Express error handlers using next(err). The original checkBan implementation did neither. Any operation that raises an exception, such as unexpected input types passed to downstream cache or database lookups, causes the process to exit. [CWE-248] describes this class of defect where a program does not catch an exception that alters control flow.

Attack Vector

Exploitation requires only network access to a LibreChat instance. The attacker sends an HTTP request containing a payload structured to trigger a runtime exception within checkBan. Because the middleware runs early in the request pipeline before authentication checks, no credentials are required. A single request is sufficient to crash the process, and repeated requests during automated restart cycles produce sustained denial of service.

javascript
// Patch: api/server/middleware/checkBan.js
 const denyRequest = require('./denyRequest');
 const { getLogStores } = require('~/cache');
 const { findUser } = require('~/models');
+const { logger } = require('~/config');
 
 const banCache = new Keyv({ store: keyvMongo, namespace: ViolationTypes.BAN, ttl: 0 });
 const message = 'Your account has been temporarily banned due to violations of our service.';

Source: GitHub Commit 976784c. The patch introduces the logger import and wraps middleware operations with error handling to prevent unhandled exceptions from terminating the process.

Detection Methods for CVE-2024-11172

Indicators of Compromise

  • Unexpected termination of the LibreChat Node.js process with an uncaught exception stack trace referencing checkBan.js
  • Repeated container or service restarts triggered by orchestration platforms such as Kubernetes or systemd
  • HTTP 5xx responses or connection resets following requests containing anomalous payload structures targeting the ban check path

Detection Strategies

  • Monitor application logs for stack traces originating in api/server/middleware/checkBan.js or messages containing UnhandledPromiseRejection
  • Correlate process exit events with preceding inbound HTTP requests to identify the triggering payload
  • Deploy web application firewall rules that inspect request bodies for malformed JSON or unexpected field types sent to LibreChat endpoints

Monitoring Recommendations

  • Track process uptime and restart counts for LibreChat containers using metrics platforms such as Prometheus
  • Alert on Node.js uncaughtException events emitted to stderr
  • Log all HTTP requests with source IP and payload hashes to enable post-incident forensics

How to Mitigate CVE-2024-11172

Immediate Actions Required

  • Upgrade LibreChat to version 0.7.6 or later, which contains the patch in commit 976784c01fa4cce00d4c2941801d56aed375c21b
  • Restrict network exposure of LibreChat instances to authenticated users through a reverse proxy or VPN until patching is complete
  • Enable process supervisors such as PM2 or Kubernetes liveness probes to restart crashed instances automatically

Patch Information

The fix is available in LibreChat version 0.7.6. Apply the patch by pulling the latest release from the LibreChat GitHub repository or by updating container images to the corresponding tag. The patch adds structured error handling and logging inside the checkBan middleware so exceptions are caught and forwarded rather than propagated to the runtime.

Workarounds

  • Place LibreChat behind a reverse proxy configured to validate and sanitize request payloads before they reach the application
  • Add rate limiting at the network edge to slow abuse of the crash primitive while patches are deployed
  • Implement a global Express error handler in custom forks to catch unhandled exceptions from all middleware
bash
# Upgrade LibreChat to the patched release
git fetch --tags
git checkout v0.7.6
npm install
npm run build
# Or, for container deployments:
docker pull ghcr.io/danny-avila/librechat:v0.7.6
docker compose up -d

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.