NIXPKGS-2026-0644

GitHub issue published on 15 Mar 2026

Permalink CVE-2026-31949

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

updated 1 week ago by @LeSuisse Activity log

Created automatic suggestion 1 week, 2 days ago
@LeSuisse accepted 1 week ago
@LeSuisse published on GitHub 1 week ago

LibreChat Denial of Service (DoS) via Unhandled Exception in DELETE /api/convos

LibreChat is a ChatGPT clone with additional features. Prior to 0.8.3-rc1, a Denial of Service (DoS) vulnerability exists in the DELETE /api/convos endpoint that allows an authenticated attacker to crash the Node.js server process by sending malformed requests. The DELETE /api/convos route handler attempts to destructure req.body.arg without validating that it exists. The server crashes due to an unhandled TypeError that bypasses Express error handling middleware and triggers process.exit(1). This vulnerability is fixed in 0.8.3-rc1.

References

https://github.com/danny-avila/LibreChat/security/advisories/GHSA-5m32-chq6-232p x_refsource_CONFIRM

Affected products

LibreChat

==< 0.8.3-rc1

Matching in nixpkgs

pkgs.librechat

Open-source app for all your AI conversations, fully customizable and compatible with any AI provider

nixos-unstable 0.8.0
- nixpkgs-unstable 0.8.0
- nixos-unstable-small 0.8.0
nixos-25.11 0.8.0
- nixos-25.11-small 0.8.0
- nixpkgs-25.11-darwin 0.8.0

Package maintainers

@niklaskorz Niklas Korz <nixpkgs@korz.dev>

Upstream advisory: https://github.com/danny-avila/LibreChat/security/advisories/GHSA-5m32-chq6-232p

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0644

References

Affected products

Matching in nixpkgs

pkgs.librechat

Package maintainers