Platform
nodejs
Component
anything-llm
Fixed in
1.0.1
CVE-2024-3279 describes an improper access control vulnerability within the mintplex-labs/anything-llm application. This flaw allows unauthenticated attackers to import arbitrary database files, leading to the potential deletion or manipulation of the core anythingllm.db database. Versions of Anything LLM prior to 1.0.0 are affected, and a fix has been released in version 1.0.0.
The impact of CVE-2024-3279 is significant due to the ease of exploitation and the potential for data compromise. An attacker can bypass authentication and directly import a malicious database file. This could result in the complete deletion of the existing anythingllm.db file, effectively crippling the application. More concerningly, an attacker could import a crafted database containing malicious data, which would then be served to legitimate users. This could lead to data theft, manipulation of application behavior, or even the injection of malicious code. The blast radius extends to all users of the affected application, as anyone interacting with the application could be exposed to the attacker's manipulated data.
CVE-2024-3279 was publicly disclosed on August 9, 2024. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Public proof-of-concept (PoC) code has not been widely released, but the simplicity of the vulnerability suggests that PoCs are likely to emerge.
Exploit Status
EPSS
0.26% (49% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-3279 is to immediately upgrade to version 1.0.0 or later of the mintplex-labs/anything-llm application. If upgrading is not immediately feasible, consider implementing strict file access controls on the server hosting the application. Restrict write access to the anythingllm.db file to only the application's user account. Additionally, implement input validation on the import endpoint to prevent the upload of unexpected file types or excessively large files. While a WAF might not directly prevent this vulnerability, it could be configured to flag suspicious file uploads or database manipulation attempts. After upgrading, confirm the fix by attempting to import a test database file as an unauthenticated user; the import should be rejected.
Update Anything LLM to version 1.0.0 or later. This version contains a fix for the improper access control vulnerability in the import endpoint. The update will prevent anonymous attackers from importing malicious databases.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-3279 is a CRITICAL vulnerability in Anything LLM versions ≤1.0.0 that allows unauthenticated attackers to import malicious database files, potentially deleting or spoofing the 'anythingllm.db' file.
Yes, if you are using Anything LLM version 1.0.0 or earlier, you are vulnerable to this improper access control flaw.
Upgrade to version 1.0.0 or later of the Anything LLM application. As a temporary workaround, restrict write access to the 'anythingllm.db' file.
There is currently no confirmed evidence of active exploitation, but the vulnerability's simplicity suggests PoCs are likely to emerge.
Refer to the official mintplex-labs/anything-llm repository and associated release notes for the latest information and advisory regarding CVE-2024-3279.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.