Plattform
nodejs
Komponente
anything-llm
Behoben in
1.2.2
CVE-2024-10513 describes a Path Traversal vulnerability affecting the 'document uploads manager' feature within mintplex-labs/anything-llm. This flaw allows authenticated users with the 'manager' role to access and manipulate the 'anythingllm.db' database file, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions of anything-llm prior to 1.2.2, and a fix is available in version 1.2.2.
The vulnerability lies within the '/api/document/move-files' endpoint, allowing an attacker with 'manager' privileges to manipulate file paths. By crafting malicious requests, an attacker can move the 'anythingllm.db' database file to a publicly accessible directory. This enables the attacker to download the database, potentially exposing sensitive user data, configuration information, or other critical application data. Following the download, the attacker can delete the database file, causing disruption to the application's functionality and potentially leading to data loss for legitimate users. The impact is amplified if the database contains personally identifiable information (PII) or other sensitive data subject to regulatory compliance.
CVE-2024-10513 was publicly disclosed on 2025-03-20. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 7.2 (HIGH) indicates a significant potential for exploitation if left unaddressed. It is not listed on the CISA KEV catalog as of this writing.
Organizations utilizing mintplex-labs/anything-llm in production environments, particularly those with deployments where the 'manager' role has broad access privileges, are at risk. Shared hosting environments where multiple users share the same instance of anything-llm are also particularly vulnerable.
• nodejs / server:
ps aux | grep anything-llm• nodejs / server:
find / -name anythingllm.db 2>/dev/null• generic web:
curl -I http://your-anythingllm-server/api/document/move-files?path=../../../../etc/passwddisclosure
Exploit-Status
EPSS
0.27% (51% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-10513 is to immediately upgrade to version 1.2.2 of anything-llm. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the '/api/document/move-files' endpoint to only authorized users with the 'manager' role and enforce strict input validation to prevent path traversal attempts. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious path manipulation patterns. Regularly monitor application logs for unusual file access or modification activities.
Actualice anything-llm a la versión 1.2.2 o superior. Esta versión contiene una corrección para la vulnerabilidad de path traversal. La actualización se puede realizar a través del gestor de paquetes npm o siguiendo las instrucciones proporcionadas por el proveedor.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-10513 is a Path Traversal vulnerability in mintplex-labs/anything-llm versions 1.2.2 and earlier, allowing attackers to access and manipulate the database file.
You are affected if you are using anything-llm version 1.2.2 or earlier. Upgrade to version 1.2.2 to mitigate the risk.
Upgrade to version 1.2.2 of anything-llm. As a temporary workaround, restrict access to the '/api/document/move-files' endpoint.
As of the current date, there are no reports of active exploitation of CVE-2024-10513.
Refer to the mintplex-labs/anything-llm repository or their official communication channels for the advisory related to CVE-2024-10513.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.