CVE-2024-11171

Name of the Vulnerable Software and Affected Versions danny-avila/librechat versions prior to 0.7.6

Description The issue is related to improper input validation, specifically with the handling of multipart file uploads using multer middleware. When in-memory storage is used, there is no limit on the upload file size, which can cause a server crash due to out-of-memory errors when handling large files. An attacker without any privileges can exploit this to cause a complete denial of service.

Recommendations For versions prior to 0.7.6, update to version 0.7.6 to resolve the issue. As a temporary workaround, consider configuring multer to use disk storage instead of in-memory storage to limit the upload file size and prevent out-of-memory errors. Restrict access to large file uploads to minimize the risk of exploitation.