Critical severity9.1NVD Advisory· Published Nov 25, 2024· Updated Apr 15, 2026
CVE-2024-52787
CVE-2024-52787
Description
An issue in the upload_documents method of libre-chat v0.0.6 allows attackers to execute a path traversal via supplying a crafted filename in an uploaded file.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
libre-chatPyPI | <= 0.0.6 | — |
Patches
1dbb8e3400e52Merge pull request #9 from jxfzzzt/main
1 file changed · +8 −1
src/libre_chat/router.py+8 −1 modified@@ -3,6 +3,7 @@ from dataclasses import dataclass from typing import Any, Dict, List, Optional, Union +import werkzeug from fastapi import APIRouter, Body, File, HTTPException, Request, UploadFile, WebSocket from fastapi.responses import JSONResponse from langchain.callbacks.base import AsyncCallbackHandler @@ -123,7 +124,13 @@ def upload_documents( ) for uploaded in files: if uploaded.filename: # no cov - file_path = os.path.join(self.conf.vector.documents_path, uploaded.filename) + file_path = werkzeug.utils.safe_join(self.conf.vector.documents_path, uploaded.filename) + if file_path is None: + raise HTTPException( + status_code=403, + detail=f"Invalid file name: {uploaded.filename}", + ) + with open(file_path, "wb") as file: file.write(uploaded.file.read()) # Check if the uploaded file is a zip file
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-3864-rp2m-2qfjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-52787ghsaADVISORY
- gist.github.com/jxfzzzt/276a6e8cfbc54d2c2711bb51d8d3dff3nvdWEB
- github.com/vemonet/libre-chat/commit/dbb8e3400e5258112179783d74c9cc54310cb72bnvdWEB
- github.com/vemonet/libre-chat/issues/10nvdWEB
- github.com/vemonet/libre-chat/pull/9nvdWEB
News mentions
0No linked articles in our index yet.