CVE-2026-34371 | danny-avila LibreChat up to 0.8.3 writeFileSync path traversal

VDB-355961 · CVE-2026-34371 · GCVE-0-2026-34371 DANNY-AVILA LIBRECHAT UP TO 0.8.3 WRITEFILESYNC PATH TRAVERSAL HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 5.1 $0-$5k 1.96 Summaryinfo A vulnerability marked as critical has been reported in danny-avila LibreChat up to 0.8.3. Affected by this issue is the function writeFileSync. The manipulation leads to path traversal. This vulnerability is documented as CVE-2026-34371. The attack can be initiated remotely. There is not any exploit available. It is suggested to upgrade the affected component. Detailsinfo A vulnerability, which was classified as critical, has been found in danny-avila LibreChat up to 0.8.3. This issue affects the function writeFileSync. The manipulation with an unknown input leads to a path traversal vulnerability. Using CWE to declare the problem leads to CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Impacted is integrity, and availability. The summary by CVE is: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the execute_code sandbox when persisting code-generated artifacts. On deployments using the default local file strategy, a malicious artifact filename containing traversal sequences (for example, ../../../../../app/client/dist/poc.txt) is concatenated into the server-side destination path and written with fs.writeFileSync() without sanitization. This gives any user who can trigger execute_code an arbitrary file write primitive as the LibreChat server user. This vulnerability is fixed in 0.8.4. The advisory is shared at github.com. The identification of this vulnerability is CVE-2026-34371 since 03/27/2026. The exploitation is known to be difficult. The attack may be initiated remotely. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1006 for this issue. Upgrading to version 0.8.4 eliminates this vulnerability. Productinfo Type Chat Software Vendor danny-avila Name LibreChat Version 0.8.0 0.8.1 0.8.2 0.8.3 Website Product: https://github.com/danny-avila/LibreChat/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 5.2 VulDB Meta Temp Score: 5.1 VulDB Base Score: 4.2 VulDB Temp Score: 4.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 6.3 CNA Vector (GitHub_M): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Path traversal CWE: CWE-22 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: LibreChat 0.8.4 Timelineinfo 03/27/2026 CVE reserved 04/07/2026 +10 days Advisory disclosed 04/07/2026 +0 days VulDB entry created 04/07/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: github.com Status: Confirmed CVE: CVE-2026-34371 (🔒) GCVE (CVE): GCVE-0-2026-34371 GCVE (VulDB): GCVE-100-355961 Entryinfo Created: 04/07/2026 23:36 Changes: 04/07/2026 23:36 (65) Complete: 🔍 Cache ID: 99:7C0:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸