Platform
nodejs
Component
mintplex-labs/anything-llm
Fixed in
1.0.1
CVE-2024-0440 is a critical Server-Side Request Forgery (SSRF) vulnerability affecting versions of the anything-llm Node.js library up to and including 1.0.0. This vulnerability allows an attacker, possessing the ability to submit links (potentially via a POST request), to leverage the file:// protocol to introspect host files and other relatively stored files. A fix is available in version 1.0.0.
The SSRF vulnerability in anything-llm poses a significant risk because it allows attackers to read sensitive files from the server's file system. This could include configuration files containing database credentials, API keys, or other secrets. An attacker could potentially gain access to internal resources and data that should not be publicly accessible. The impact is amplified if the application is running with elevated privileges, as the attacker could then access files owned by the application's user. Successful exploitation could lead to complete compromise of the server and the data it holds.
CVE-2024-0440 was publicly disclosed on 2024-02-25. No known public proof-of-concept (PoC) exploits have been released at the time of this writing, but the SSRF nature of the vulnerability makes it likely that PoCs will emerge. The vulnerability is not currently listed on the CISA KEV catalog. Given the CRITICAL CVSS score and the ease of exploitation (requiring only the ability to submit a URL), active exploitation is possible.
Exploit Status
EPSS
0.19% (41% percentile)
CVSS Vector
The primary mitigation for CVE-2024-0440 is to upgrade to version 1.0.0 of the anything-llm library. If upgrading is not immediately feasible, implement strict input validation on any URLs submitted by users. Specifically, filter out or sanitize any requests that include the file:// protocol. Consider using a Web Application Firewall (WAF) to block requests containing suspicious URLs. Additionally, restrict the application's access to the file system to only the necessary directories, minimizing the potential impact of a successful SSRF attack. After upgrade, confirm by attempting a POST request with a file:// URL and verifying that it is rejected.
Update the Anything LLM application to version 1.0.0 or later. This version contains a fix for the SSRF vulnerability that prevents unauthorized access to system files. The update can be performed via the npm package manager or by following the upgrade instructions provided by the vendor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-0440 is a critical SSRF vulnerability in the anything-llm Node.js library, allowing attackers to access host files via the file:// protocol in POST requests.
You are affected if you are using anything-llm versions less than or equal to 1.0.0 and are not validating user-supplied URLs.
Upgrade to version 1.0.0 of anything-llm. If immediate upgrade isn't possible, implement strict input validation to filter out file:// URLs.
While no public exploits are currently known, the CRITICAL severity and ease of exploitation suggest active exploitation is possible.
Refer to the project's repository or website for the official advisory, typically found in the release notes or security announcements.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.