Impact
A missing rate limiter on the /api/convos/duplicate endpoint allows an authenticated user to repeatedly duplicate conversations, performing the same expensive database operations that the vendor originally fixed on /api/convos/fork for CVE-2025-7105. By bypassing the intended control, an attacker can exhaust server resources, leading to degraded performance or a service outage. This flaw is a classic example of CWE-770, where insufficient resource exhaustion mitigations are left in place while the affected functionality remains exposed.
Affected Systems
LibreChat bundled with the open‑source project by danny‑avila is vulnerable in any release prior to 0.8.4‑rc1. Users employing earlier versions have the duplicate endpoint unsecured and can fully exploit it. The patch in 0.8.4‑rc1 introduces the missing rate limiter and resolves the issue.
Risk and Exploitability
The CVSS score of 6.5 indicates a moderate severity, reflecting the need for authentication to abuse the flaw and the potential but not guaranteed impact. The EPSS score is not provided, and the vulnerability does not appear in CISA’s KEV catalog, suggesting no publicly known active exploits at the time of analysis. Attackers would need to authenticate to the service and repeatedly issue POST /api/convos/duplicate requests. The lack of a formal limiter makes exploitation straightforward for any legitimate user who could be coerced into misusing the endpoint.
OpenCVE Enrichment