Allocation of Resources Without Limits or Throttling in LibreChat - #VU133259
Published: June 3, 2026
Vulnerability identifier: #VU133259
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-770
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LibreChat
Affected software:
LibreChat
LibreChat
Detailed vulnerability description
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the conversation import multer instance for the POST /api/convos/import endpoint when handling uploaded conversation import files. A remote user can upload an arbitrarily large file to cause a denial of service.
The application-level size check is disabled by default when the related environment variable is unset, and the uploaded file is written to disk before being fully read into memory and parsed.
Remediation
Install security update from vendor's website.