How to fix CVE-2024-11171?

Within 7 days: Identify all affected systems running danny-avila/librechat and apply vendor patches promptly. Vendor patch is available.

Is Librechat affected by CVE-2024-11171?

Organizations using danny-avila/librechat face notable risk from CVE-2024-11171 rated CVSS 7.5. Exploitation could compromise the security of affected deployments. Proof-of-concept code is publicly available, increasing the risk of exploitation.

CVE-2024-11171

HIGH

2025-03-20 [email protected]

7.5

CVSS 3.0

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:32 vuln.today

Patch Released

Mar 28, 2026 - 18:32 nvd

Patch available

PoC Detected

Oct 15, 2025 - 13:15 vuln.today

Public exploit code

CVE Published

Mar 20, 2025 - 10:15 nvd

HIGH 7.5

Description

In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. The application uses multer middleware for handling multipart file uploads. When using in-memory storage (the default setting for multer), there is no limit on the upload file size. This can lead to a server crash due to out-of-memory errors when handling large files. An attacker without any privileges can exploit this vulnerability to cause a complete denial of service. The issue is fixed in version 0.7.6.

Analysis

In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical Context

This vulnerability is classified as Allocation of Resources Without Limits (CWE-770), which allows attackers to exhaust system resources through uncontrolled allocation. In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. The application uses multer middleware for handling multipart file uploads. When using in-memory storage (the default setting for multer), there is no limit on the upload file size. This can lead to a server crash due to out-of-memory errors when handling large files. An attacker without any privileges can exploit this vulnerability to cause a complete denial of service. The issue is fixed in version 0.7.6. Affected products include: Librechat. Version information: version 0.7.6..

Affected Products

Librechat.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Set resource limits, implement rate limiting, validate input sizes.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +38

POC: +20

CVE-2024-11171 vulnerability details – vuln.today

Back

CVE-2024-11171

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2024-11171

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code