Platform
nodejs
Component
anything-llm
Fixed in
1.2.2
CVE-2024-10513 describes a Path Traversal vulnerability affecting the 'document uploads manager' feature within mintplex-labs/anything-llm. This flaw allows authenticated users with the 'manager' role to access and manipulate the 'anythingllm.db' database file, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions of anything-llm prior to 1.2.2, and a fix is available in version 1.2.2.
An attacker exploiting CVE-2024-10513 can leverage the '/api/document/move-files' endpoint to move the 'anythingllm.db' database file to a publicly accessible directory. This allows the attacker to download the database, potentially exposing sensitive information stored within. Following the download, the attacker can delete the database file, resulting in data loss and disruption of the application's functionality. This vulnerability could lead to privilege escalation if the database contains credentials or sensitive configuration data.
CVE-2024-10513 was published on 2025-03-20. Currently, there are no known public exploits or active campaigns targeting this vulnerability. Its CVSS score of 7.2 (HIGH) indicates a significant risk. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.27% (51% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-10513 is to upgrade to version 1.2.2 of anything-llm. If an immediate upgrade is not feasible, restrict access to the '/api/document/move-files' endpoint to authorized users only. Implement robust input validation on all file paths to prevent path traversal attempts. Consider using a Web Application Firewall (WAF) to filter requests containing suspicious path manipulation patterns.
Actualice anything-llm a la versión 1.2.2 o superior. Esta versión contiene una corrección para la vulnerabilidad de path traversal. La actualización se puede realizar a través del gestor de paquetes npm o siguiendo las instrucciones proporcionadas por el proveedor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-10513 is a Path Traversal vulnerability in mintplex-labs/anything-llm versions 1.2.2 and earlier, allowing attackers to access and manipulate the database file.
You are affected if you are using anything-llm version 1.2.2 or earlier. Upgrade to version 1.2.2 to mitigate the risk.
Upgrade to version 1.2.2 of anything-llm. As a temporary workaround, restrict access to the '/api/document/move-files' endpoint.
As of the current date, there are no reports of active exploitation of CVE-2024-10513.
Refer to the mintplex-labs/anything-llm repository or their official communication channels for the advisory related to CVE-2024-10513.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.