CVE-2025-8849 — HIGH (7.5) — White Hats Nepal

Vulnerability Description

LibreChat version 0.7.9 is vulnerable to a Denial of Service (DoS) attack due to unbounded parameter values in the `/api/memories` endpoint. The `key` and `value` parameters accept arbitrarily large inputs without proper validation, leading to a null pointer error in the Rust-based backend when excessively large values are submitted. This results in the inability to create new memories, impacting the stability of the service.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Librechat	Librechat	0.7.9

Related Weaknesses (CWE)

CWE-400

References

https://github.com/danny-avila/librechat/commit/edf33bedcbb08c33e59df76f06454ed7Patch
https://huntr.com/bounties/e9d9404c-cd19-4226-a580-9cba14b7d7d6ExploitMitigationThird Party Advisory

FAQ

What is CVE-2025-8849?

CVE-2025-8849 is a vulnerability with a CVSS score of 7.5 (HIGH). LibreChat version 0.7.9 is vulnerable to a Denial of Service (DoS) attack due to unbounded parameter values in the `/api/memories` endpoint. The `key` and `value` parameters accept arbitrarily large i...

How severe is CVE-2025-8849?

CVE-2025-8849 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-8849?

Check the references section above for vendor advisories and patch information. Affected products include: Librechat Librechat.