CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-10361: Arbitrary File Deletion via Path Traversal in danny-avila/librechat

8.1 CVSS

Description

An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /api/files endpoint. This vulnerability arises from improper input validation, allowing path traversal techniques to delete arbitrary files on the server. Attackers can exploit this to bypass security mechanisms and delete files outside the intended directory, including critical system files, user data, or application resources. This vulnerability impacts the integrity and availability of the system.

Classification

CVE ID: CVE-2024-10361

CVSS Base Severity: HIGH

CVSS Base Score: 8.1

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Problem Types

CWE-73 External Control of File Name or Path

Affected Products

Vendor: danny-avila

Product: danny-avila/librechat

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 15.59% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-10361
https://huntr.com/bounties/e811f7f7-9556-4564-82e2-5b3d17599b2d
https://github.com/danny-avila/librechat/commit/0b744db1e2af31a531ffb761584d85540430639c

Timeline

2025-03-20 11:40:12 UTC
CVE

Arbitrary File Deletion via Path Traversal in danny-avila/librechat