CVE-2026-54037
LibreChat: Incomplete Fix for CVE-2025-7105 โ /api/convos/duplicate Lacks Rate Limiting Applied to /api/convos/fork
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2025-7105 added forkIpLimiter and forkUserLimiter rate limiters to POST /api/convos/fork to prevent rapid-fire conversation duplication. However, the POST /api/convos/duplicate endpoint โ which is in the same file and performs the exact same expensive database operations โ was not given any rate limiter. An authenticated user can bypass the CVE-2025-7105 fix by using /duplicate instead of /fork to exhaust server resources. This vulnerability is fixed in 0.8.4-rc1.
| CWE | CWE-770 |
| Vendor | danny-avila |
| Product | librechat |
| Published | Jun 25, 2026 |
| Last Updated | Jun 25, 2026 |
Stay Ahead of the Next One
Get instant alerts for danny-avila librechat
Be the first to know when new medium vulnerabilities affecting danny-avila librechat are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
danny-avila / LibreChat
< 0.8.4-rc1