Platform
nodejs
Component
anything-llm
Fixed in
1.0.1
CVE-2024-0550 is a critical vulnerability affecting Anything LLM versions up to 1.0.0. It allows authenticated, privileged users (with 'manager' or 'admin' roles) to download arbitrary files from the server. This vulnerability arises from a flaw in the profile picture upload process, enabling attackers to bypass access controls and retrieve files they shouldn't be able to access. The vulnerability was published on 2024-02-28 and a fix is available in version 1.0.0.
The impact of CVE-2024-0550 is significant, particularly for deployments where sensitive data is stored on the server. An attacker who has already obtained privileged access (e.g., through a separate vulnerability or compromised credentials) can leverage this flaw to download any file accessible to the application's backend. This could include configuration files containing database credentials, source code, or other confidential information. The potential for data exfiltration is high, and the attacker could use the downloaded data for further malicious activities, such as identity theft, financial fraud, or disruption of services. The scope of the attack is limited to users with existing privileged access, but the consequences of a successful exploit can be severe.
CVE-2024-0550 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's description suggests a relatively straightforward exploitation process for attackers with privileged access. The EPSS score is likely to be medium, reflecting the requirement for initial privileged access but the ease of exploitation once that access is obtained. The vulnerability was disclosed publicly on 2024-02-28.
Exploit Status
EPSS
0.85% (75% percentile)
CVSS Vector
The primary mitigation for CVE-2024-0550 is to upgrade to version 1.0.0 of Anything LLM, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds to restrict file access. Specifically, review and strengthen access control lists (ACLs) on the server to limit the files accessible to the application's backend. Implement strict input validation on the profile picture upload endpoint to prevent the use of relative filepaths. Monitor application logs for suspicious activity, such as unusual file download requests. After upgrading, confirm the fix by attempting to upload a profile picture using a relative filepath and verifying that the download fails with an appropriate error message.
Update to a version later than 1.0.0 where the vulnerability has been fixed. The update will mitigate the possibility of privileged users accessing unauthorized system files. See commit e1dcd5ded010b03abd6aa32d1bf0668a48e38e17 for more details on the fix.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-0550 is a critical vulnerability in Anything LLM versions up to 1.0.0 that allows privileged users to download arbitrary files by manipulating profile picture uploads.
If you are using Anything LLM version 1.0.0 or earlier, you are potentially affected by this vulnerability. Check your current version and upgrade immediately if necessary.
The recommended fix is to upgrade to version 1.0.0 of Anything LLM. If immediate upgrade is not possible, implement temporary workarounds like restricting file access and strengthening ACLs.
While there is no widespread confirmation of active exploitation, the vulnerability's ease of exploitation makes it a potential target for attackers with privileged access.
Refer to the official Anything LLM security advisories and release notes for detailed information and updates regarding CVE-2024-0550.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.