CRITICAL🇵🇱 Wersja polska

CVE-2024-41703

CVSS 9.8v3.1pub. 2024-07-22upd. 2024-11-21

LibreChat through 0.7.4-rc1 has incorrect access control for message updates.

🤖 AI Analysis
How it works

The access control mechanism responsible for verifying permissions during message updates is implemented incorrectly. An attacker can send message modification requests without having appropriate permissions, because the application does not properly verify the identity or permissions of the requester. The attack vector is network-based, requires no authentication or user interaction, making the exploit exceptionally easy to perform.

Impact

An attacker can gain unauthorized access to message content without authentication, modify or delete it, leading to violations of confidentiality, integrity, and availability of data stored in the system.

Mitigation & patch

Apply patches available from the vendor according to the references — the fix was introduced as part of pull request #3363 in the LibreChat GitHub repository

Who is affected

LibreChat in all versions up to and including 0.7.4-rc1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Librechat

    APP
    Librechat
    0.7.4≤ 0.7.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-32625CRITICAL9.6PL ✓ten sam produkt

LibreChat: wyciek zmiennych środowiskowych przez konfigurację MCP

CVE-2026-22252CRITICAL9.1PL ✓ten sam produkt

LibreChat: RCE jako root przez MCP stdio transport bez walidacji poleceń

CVE-2025-69222CRITICAL9.1PL ✓ten sam produkt

SSRF w LibreChat — brak ograniczeń funkcji Actions w domyślnej konfiguracji

CVE-2024-10361CRITICAL9.1PL ✓ten sam produkt

LibreChat: path traversal umożliwiający usunięcie dowolnych plików

CVE-2024-41704CRITICAL9.8PL ✓ten sam produkt

Path Traversal w LibreChat — brak walidacji ścieżek obrazów