Compliance Impact

I don't know

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the LibreChat server to crash completely, resulting in a Denial of Service.

When exploited, the server process terminates abruptly, making the chat service unavailable to all users until the server is manually restarted.

There is no impact on data confidentiality or integrity, but all ongoing requests are terminated unexpectedly, disrupting service availability.

Useful 0 Not Useful 0

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-31949 is a Denial of Service (DoS) vulnerability in the LibreChat package affecting the DELETE /api/convos endpoint in versions prior to 0.8.3-rc1.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the route handler tries to destructure properties from req.body.arg without checking if req.body or req.body.arg exists. If req.body.arg is missing or null, this causes a synchronous TypeError.'}, {'type': 'paragraph', 'content': "This error bypasses Express 4's error handling middleware and triggers a global uncaughtException handler that calls process.exit(1), crashing the entire Node.js server process and causing complete service unavailability."}, {'type': 'paragraph', 'content': 'Exploitation requires an authenticated user with a valid JWT token but no special conditions beyond sending a malformed DELETE request with an empty or null "arg" field.'}] [1]

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for crashes of the LibreChat Node.js server process, especially following DELETE requests to the /api/convos endpoint with malformed JSON bodies.'}, {'type': 'paragraph', 'content': 'To test for the vulnerability, you can send crafted DELETE requests with an empty JSON body or with {"arg": null} in the request body to the /api/convos endpoint using a valid JWT token.'}, {'type': 'paragraph', 'content': 'Example commands using curl to test the vulnerability (replace <TOKEN> with a valid JWT token and <URL> with your server URL):'}, {'type': 'list_item', 'content': 'curl -X DELETE <URL>/api/convos -H "Authorization: Bearer <TOKEN>" -H "Content-Type: application/json" -d \'{}\''}, {'type': 'list_item', 'content': 'curl -X DELETE <URL>/api/convos -H "Authorization: Bearer <TOKEN>" -H "Content-Type: application/json" -d \'{"arg": null}\''}, {'type': 'paragraph', 'content': 'If the server crashes or restarts after these requests, it indicates the presence of the vulnerability.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade LibreChat to version 0.8.3-rc1 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, consider implementing input validation middleware (such as express-validator or joi) to ensure that req.body and req.body.arg exist and are valid before processing.

Additionally, adding error handling improvements such as wrapping async route handlers with an asyncHandler and adding unhandledRejection handlers can help prevent the server from crashing due to unhandled exceptions.

Restrict access to the DELETE /api/convos endpoint to only trusted authenticated users, as exploitation requires a valid JWT token.

Useful 0 Not Useful 0