CVE-2026-31949
Denial of Service in LibreChat DELETE /api/convos Endpoint
Publication date: 2026-03-13
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| librechat | librechat | to 0.8.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability impact me? :
This vulnerability can cause the LibreChat server to crash completely, resulting in a Denial of Service.
When exploited, the server process terminates abruptly, making the chat service unavailable to all users until the server is manually restarted.
There is no impact on data confidentiality or integrity, but all ongoing requests are terminated unexpectedly, disrupting service availability.
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-31949 is a Denial of Service (DoS) vulnerability in the LibreChat package affecting the DELETE /api/convos endpoint in versions prior to 0.8.3-rc1.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the route handler tries to destructure properties from req.body.arg without checking if req.body or req.body.arg exists. If req.body.arg is missing or null, this causes a synchronous TypeError.'}, {'type': 'paragraph', 'content': "This error bypasses Express 4's error handling middleware and triggers a global uncaughtException handler that calls process.exit(1), crashing the entire Node.js server process and causing complete service unavailability."}, {'type': 'paragraph', 'content': 'Exploitation requires an authenticated user with a valid JWT token but no special conditions beyond sending a malformed DELETE request with an empty or null "arg" field.'}] [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for crashes of the LibreChat Node.js server process, especially following DELETE requests to the /api/convos endpoint with malformed JSON bodies.'}, {'type': 'paragraph', 'content': 'To test for the vulnerability, you can send crafted DELETE requests with an empty JSON body or with {"arg": null} in the request body to the /api/convos endpoint using a valid JWT token.'}, {'type': 'paragraph', 'content': 'Example commands using curl to test the vulnerability (replace <TOKEN> with a valid JWT token and <URL> with your server URL):'}, {'type': 'list_item', 'content': 'curl -X DELETE <URL>/api/convos -H "Authorization: Bearer <TOKEN>" -H "Content-Type: application/json" -d \'{}\''}, {'type': 'list_item', 'content': 'curl -X DELETE <URL>/api/convos -H "Authorization: Bearer <TOKEN>" -H "Content-Type: application/json" -d \'{"arg": null}\''}, {'type': 'paragraph', 'content': 'If the server crashes or restarts after these requests, it indicates the presence of the vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade LibreChat to version 0.8.3-rc1 or later, where this vulnerability is fixed.
If upgrading is not immediately possible, consider implementing input validation middleware (such as express-validator or joi) to ensure that req.body and req.body.arg exist and are valid before processing.
Additionally, adding error handling improvements such as wrapping async route handlers with an asyncHandler and adding unhandledRejection handlers can help prevent the server from crashing due to unhandled exceptions.
Restrict access to the DELETE /api/convos endpoint to only trusted authenticated users, as exploitation requires a valid JWT token.