关键漏洞信息 漏洞标题 Denial of Service via Unbounded parameter values in danny-avila/librechat 报告时间 Aug 2nd 2025 漏洞详情 CVE: CVE-2025-8849 漏洞类型: CWE-400: Denial of Service 严重性: Medium (5.4) 受影响版本: 0.7.9 可见性: Public 状态: Fixed 描述 endpoint in LibreChat is accepting arbitrarily large values for the and parameters, which are not properly validated, leading to a 500 Internal Server Error when over 100 crore (approx. 1 billion) characters are submitted. Users/admins cannot create new memories until the server is restarted, causing a DoS for this feature and potentially impacting backend stability. 漏洞利用脚本 影响 Attackers can exploit by sending crafted requests with large key and value parameters, crashing the Rust-based service and making the memory creation feature unusable. 缓解措施 Implement strict input validation with character limits (e.g., key ≤ 1000, value ≤ 10000 characters). Use Rust's safety mechanisms and proper error handling to avoid null pointer dereferencing. 发现者 Akshay Ravi 修复者 Danny Avila 发生位置 修复提交 Commit: edf33bedcbb08c33e59df76f06454ed7efd896f9 Fixed in v0.8.0-rc2