LibreChat contains an incomplete fix for a prior file‑upload size limitation vulnerability. The POST /api/convos/import endpoint uses a separate Multer instance that was never configured with file size limits, and the application‑level size check is disabled by default. An authenticated user can therefore upload arbitrarily large files, consuming disk space and memory until the system becomes unresponsive or crashes. This flaw corresponds to CWE‑770, unsafe resource handling, and results in denial of service rather than direct data exposure or code execution.

The affected vendor is danny‑avila:LibreChat. Versions prior to 0.8.4‑rc1 lack the proper size limits on the conversation import route and are therefore vulnerable. All releases up to that point are impacted, regardless of the specific patch level.

The vulnerability receives a CVSS score of 6.5, indicating a medium severity issue. No EPSS score is published, and the flaw is not listed in CISA’s KEV catalog. Exploitation requires authentication and access to the /api/convos/import endpoint; no special network or privilege escalation is involved. An attacker could upload large payloads until the host runs out of disk or memory, leading to service disruption. Due to the lack of a published exploit and the moderate severity, the risk is moderate but warrants prompt remediation.