ByteOS Network

NVD Vulnerability Details :

CVE-2026-31949

Analyzed

Source-security-advisories@github.com

Published At-13 Mar, 2026 | 19:54

Updated At-17 Mar, 2026 | 12:26

LibreChat is a ChatGPT clone with additional features. Prior to 0.8.3-rc1, a Denial of Service (DoS) vulnerability exists in the DELETE /api/convos endpoint that allows an authenticated attacker to crash the Node.js server process by sending malformed requests. The DELETE /api/convos route handler attempts to destructure req.body.arg without validating that it exists. The server crashes due to an unhandled TypeError that bypasses Express error handling middleware and triggers process.exit(1). This vulnerability is fixed in 0.8.3-rc1.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Type: Secondary

Version: 3.1

Base score: 6.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CPE Matches

librechat>>librechat>>Versions before 0.8.3(exclusive)

cpe:2.3:a:librechat:librechat:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-248	Primary	security-advisories@github.com

CWE ID: CWE-248

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/danny-avila/LibreChat/security/advisories/GHSA-5m32-chq6-232p	security-advisories@github.com	Mitigation Vendor Advisory Exploit

Hyperlink: https://github.com/danny-avila/LibreChat/security/advisories/GHSA-5m32-chq6-232p

Source: security-advisories@github.com

Resource:

Mitigation

Vendor Advisory

Exploit

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History