CVE-2025-7105
Unknown Unknown - Not Provided
Denial of Service via Unrestricted Fork in librechat API

Publication date: 2026-02-02

Last updated on: 2026-02-02

Assigner: huntr.dev

Description
A vulnerability in danny-avila/librechat allows attackers to exploit the unrestricted Fork Function in `/api/convos/fork` to fork numerous contents rapidly. If the forked content includes a Mermaid graph with a large number of nodes, it can lead to a JavaScript heap out of memory error upon service restart, causing a denial of service. This issue affects the latest version of the product.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-02-02
EPSS Evaluated
2026-06-14
NVD
CVE-2025-7105
EUVD
EUVD-2025-206617
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
danny_avila librechat *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in danny-avila/librechat allows attackers to exploit the unrestricted Fork Function at the endpoint `/api/convos/fork` to rapidly fork numerous contents. If the forked content contains a Mermaid graph with a large number of nodes, it can cause a JavaScript heap out of memory error when the service restarts, leading to a denial of service condition.

Impact Analysis

The vulnerability can impact you by causing a denial of service (DoS) on the affected service. Attackers can abuse the fork function to create many forked contents with complex Mermaid graphs, which exhausts the JavaScript heap memory upon service restart, making the service unavailable or unstable.

Detection Guidance

Detection can focus on monitoring the rate of requests to the `/api/convos/fork` endpoint to identify excessive forking activity. Since the vulnerability involves rapid forking of content, especially Mermaid graphs with many nodes, you can detect potential exploitation by checking for a high number of POST requests to this endpoint within a short time frame. For example, using command-line tools like `grep` and `awk` on web server logs to count requests per IP or user within a time window. Example commands: 1. `grep '/api/convos/fork' access.log | awk '{print $1}' | sort | uniq -c | sort -nr` to count requests per IP. 2. Use tools like `fail2ban` or custom scripts to alert on high request rates to this endpoint. Additionally, monitoring for HTTP 429 responses (Too Many Requests) can indicate that rate limiting is triggered, which is a sign of attempted exploitation. [1]

Mitigation Strategies

Immediate mitigation involves implementing rate limiting on the `/api/convos/fork` endpoint to prevent rapid and excessive forking requests. The patch introduces middleware using `express-rate-limit` with configurable limits per IP and per authenticated user. Recommended steps: 1. Deploy rate limiting middleware similar to the one described, with defaults such as 30 requests per IP per minute and 7 requests per user per minute. 2. Configure logging for violations to monitor abuse attempts. 3. Ensure the client-side handles HTTP 429 responses gracefully to inform users about rate limits. These steps will reduce the risk of denial of service caused by memory exhaustion from excessive forking. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-7105. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart