CVE-2024-11170

Exploit

EPSS 2.88%
Veröffentlicht 20.03.2025 10:08:59
Zuletzt bearbeitet 15.07.2025 16:45:15
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of file paths by the multer middleware. This can lead to arbitrary file write and potentially remote code execution. The issue is fixed in version 0.7.6.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Librechat ≫ Librechat Version < 0.7.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.88%	0.859

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-29 Path Traversal: '\..\filename'

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.

https://github.com/danny-avila/librechat/commit/629be5c0ca2b332178524b4e3f6fac715aea8cc4

Patch

https://huntr.com/bounties/b64156c2-5380-4d4d-af30-b2938dcdd46e

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-11170

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-11170

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-11170

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-11170