Platform
nodejs
Component
anything-llm
Fixed in
1.0.1
CVE-2024-3025 is a critical path traversal vulnerability affecting versions of anything-llm up to and including 1.0.0. This vulnerability allows attackers to potentially read or delete sensitive files on the server by manipulating the logo filename. The flaw resides in the application's handling of user-supplied input for the logo filename, lacking proper validation. A fix is available in version 1.0.0.
An attacker can exploit this vulnerability by crafting malicious requests to the /api/system/upload-logo and /api/system/logo endpoints, manipulating the logo filename to include path traversal sequences (e.g., ../). This allows them to access files outside the intended upload directory. The potential impact is severe, ranging from unauthorized access to sensitive configuration files, database credentials, or even the deletion of critical system files. Successful exploitation could lead to complete compromise of the server and data exfiltration. The lack of input validation makes this vulnerability relatively easy to exploit.
This vulnerability was publicly disclosed on 2024-04-10. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 9.9 (CRITICAL) indicates a high probability of exploitation if left unaddressed. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.23% (46% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to version 1.0.0 of anything-llm, which includes the necessary input validation fixes. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences in the logo filename. Specifically, look for patterns like ../ or absolute paths. Additionally, restrict file upload permissions to the application user and regularly review file system access logs for suspicious activity. After upgrading, confirm the fix by attempting to upload a logo with a malicious filename (e.g., ../../../../etc/passwd) and verifying that the upload fails with an appropriate error.
Update to version 1.0.0 or later. This version contains a fix for the path traversal vulnerability. The update will prevent attackers from manipulating the logo filename to access files outside the restricted directory.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-3025 is a critical vulnerability in anything-llm versions up to 1.0.0 that allows attackers to read or delete files by manipulating the logo filename.
You are affected if you are using anything-llm version 1.0.0 or earlier. Upgrade to 1.0.0 to mitigate the risk.
Upgrade to version 1.0.0 of anything-llm. As a temporary workaround, implement a WAF rule to block requests with path traversal sequences in the logo filename.
As of now, there are no confirmed reports of active exploitation, but the high CVSS score indicates a significant risk.
Refer to the mintplex-labs/anything-llm repository on GitHub for updates and advisories related to CVE-2024-3025.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.