Platform
nodejs
Component
anything-llm
Fixed in
1.0.1
CVE-2024-0549 is a Path Traversal vulnerability discovered in mintplex-labs/anything-llm, a Node.js application. This flaw allows unauthorized attackers, specifically those with default role accounts, to delete files and folders within the application's filesystem. The critical 'anythingllm.db' database is at risk, potentially leading to significant data loss and service unavailability. The vulnerability is fixed in version 1.0.0.
The primary impact of CVE-2024-0549 is the potential for unauthorized deletion of files and folders. Because the vulnerability requires only a default role account, the barrier to exploitation is relatively low. An attacker could leverage this to delete the 'anythingllm.db' database, effectively crippling the application and causing data loss. Further, an attacker could potentially delete other configuration files or application code, leading to a complete system compromise. The blast radius extends to any data stored within the application's database and any services dependent on the application's functionality.
CVE-2024-0549 was publicly disclosed on April 16, 2024. There is currently no indication of active exploitation campaigns. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the ease of exploitation suggests they may emerge. The vulnerability's reliance on a default role account makes it a potential target for opportunistic attackers.
Exploit Status
EPSS
0.25% (48% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-0549 is to upgrade to version 1.0.0 of Anything LLM. If upgrading immediately is not feasible, restrict access to the application's file deletion endpoints. Implement robust input validation and normalization on all file and folder paths to prevent traversal attempts. Consider using a Web Application Firewall (WAF) with rules to block requests containing path traversal patterns (e.g., '../'). After upgrading, confirm the fix by attempting a file deletion request with a malicious path (e.g., '/../etc/passwd') and verifying that the request is denied.
Actualice Anything LLM a la versión 1.0.0 o posterior. Esta versión contiene una corrección para la vulnerabilidad de path traversal. La actualización evitará que usuarios no autorizados eliminen archivos y carpetas críticos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-0549 is a Path Traversal vulnerability affecting Anything LLM versions up to 1.0.0, allowing attackers to delete files with default role accounts.
Yes, if you are using Anything LLM version 1.0.0 or earlier, you are vulnerable to this Path Traversal attack.
Upgrade to version 1.0.0 of Anything LLM. As a temporary workaround, restrict access to file deletion endpoints and implement robust input validation.
There is currently no confirmed evidence of active exploitation, but the vulnerability's ease of exploitation suggests it may become a target.
Refer to the mintplex-labs/anything-llm repository on GitHub for updates and advisories related to CVE-2024-0549.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.