Platform
nodejs
Component
anything-llm
Fixed in
1.0.1
CVE-2024-0763 describes a path traversal vulnerability discovered in Anything LLM. This flaw allows authenticated attackers to recursively delete arbitrary folders on a remote server, potentially leading to significant data loss and service disruption. The vulnerability impacts versions of Anything LLM up to and including 1.0.0, but a fix is available in version 1.0.0.
The core of this vulnerability lies in inadequate input sanitization when handling folder deletion requests. An attacker, possessing existing server access (authorization required), can craft malicious requests containing path traversal sequences (e.g., ../../..) to bypass intended restrictions. This allows them to navigate the file system and recursively delete directories, including critical system files or application data. The blast radius is significant, potentially impacting the entire server and any services relying on the affected data. While requiring initial server access, the ease of exploitation once access is gained makes this a serious concern.
CVE-2024-0763 was publicly disclosed on February 27, 2024. There is currently no indication of active exploitation in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the vulnerability's nature makes it likely that such exploits will emerge. The EPSS score is likely to be assessed as medium due to the requirement for initial server access.
Exploit Status
EPSS
0.91% (76% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-0763 is to immediately upgrade to version 1.0.0 or later of Anything LLM. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider implementing stricter input validation on the folder deletion endpoint. Specifically, whitelist allowed characters and paths, and reject any input containing path traversal sequences. While not a complete substitute for patching, a Web Application Firewall (WAF) configured to block requests containing path traversal patterns can provide an additional layer of defense. After upgrading, confirm the vulnerability is resolved by attempting a folder deletion request with a malicious path traversal sequence; the request should be rejected.
Actualice Anything LLM a una versión posterior a la 1.0.0. Esto solucionará la vulnerabilidad de path traversal que permite la eliminación arbitraria de carpetas. Consulte el commit 8a7324d0e77a15186e1ad5e5119fca4fb224c39c para más detalles sobre la corrección.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-0763 is a path traversal vulnerability in Anything LLM versions up to 1.0.0, allowing authenticated attackers to delete arbitrary folders on a remote server due to insufficient input sanitization.
If you are using Anything LLM version 1.0.0 or earlier, you are potentially affected by this vulnerability. Assess your server access controls to determine your risk level.
The recommended fix is to upgrade to version 1.0.0 or later. As a temporary workaround, implement stricter input validation on the folder deletion endpoint.
There is currently no confirmed evidence of active exploitation in the wild, but the vulnerability's nature makes it a potential target.
Refer to the official Anything LLM release notes and security advisories on their project repository for the most up-to-date information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.