Description
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2025-7105 added forkIpLimiter and forkUserLimiter rate limiters to POST /api/convos/fork to prevent rapid-fire conversation duplication. However, the POST /api/convos/duplicate endpoint — which is in the same file and performs the exact same expensive database operations — was not given any rate limiter. An authenticated user can bypass the CVE-2025-7105 fix by using /duplicate instead of /fork to exhaust server resources. This vulnerability is fixed in 0.8.4-rc1.
Published: 2026-06-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing rate limiter on the /api/convos/duplicate endpoint allows an authenticated user to repeatedly duplicate conversations, performing the same expensive database operations that the vendor originally fixed on /api/convos/fork for CVE-2025-7105. By bypassing the intended control, an attacker can exhaust server resources, leading to degraded performance or a service outage. This flaw is a classic example of CWE-770, where insufficient resource exhaustion mitigations are left in place while the affected functionality remains exposed.

Affected Systems

LibreChat bundled with the open‑source project by danny‑avila is vulnerable in any release prior to 0.8.4‑rc1. Users employing earlier versions have the duplicate endpoint unsecured and can fully exploit it. The patch in 0.8.4‑rc1 introduces the missing rate limiter and resolves the issue.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, reflecting the need for authentication to abuse the flaw and the potential but not guaranteed impact. The EPSS score is not provided, and the vulnerability does not appear in CISA’s KEV catalog, suggesting no publicly known active exploits at the time of analysis. Attackers would need to authenticate to the service and repeatedly issue POST /api/convos/duplicate requests. The lack of a formal limiter makes exploitation straightforward for any legitimate user who could be coerced into misusing the endpoint.

Generated by OpenCVE AI on June 25, 2026 at 17:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreChat to 0.8.4‑rc1 or later to apply the missing rate limiter on /api/convos/duplicate.
  • If upgrading is not immediately possible, add a custom rate limiter to the /api/convos/duplicate endpoint to restrict duplicate conversation requests per user, e.g., no more than a few per minute.
  • Enable monitoring of database load and server metrics to detect abnormal spikes that could indicate exploitation attempts.

Generated by OpenCVE AI on June 25, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Danny-avila
Danny-avila libre Chat
Vendors & Products Danny-avila
Danny-avila libre Chat

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2025-7105 added forkIpLimiter and forkUserLimiter rate limiters to POST /api/convos/fork to prevent rapid-fire conversation duplication. However, the POST /api/convos/duplicate endpoint — which is in the same file and performs the exact same expensive database operations — was not given any rate limiter. An authenticated user can bypass the CVE-2025-7105 fix by using /duplicate instead of /fork to exhaust server resources. This vulnerability is fixed in 0.8.4-rc1.
Title LibreChat: Incomplete Fix for CVE-2025-7105 — /api/convos/duplicate Lacks Rate Limiting Applied to /api/convos/fork
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Danny-avila Libre Chat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T18:19:33.773Z

Reserved: 2026-06-11T16:57:50.019Z

Link: CVE-2026-54037

cve-icon Vulnrichment

Updated: 2026-06-25T18:18:53.931Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:00:12Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling