Platform
nodejs
Component
anything-llm
Opgelost in
0.9.2
CVE-2024-0404 describes a critical mass assignment vulnerability found in the mintplex-labs/anything-llm repository. This flaw allows attackers to bypass access controls and create high-privileged accounts, potentially leading to complete system compromise. The vulnerability impacts versions of Anything LLM up to and including 1.0.0. A fix is available in version 1.0.0.
The vulnerability lies in the /api/invite/:code endpoint, which handles account creation via invitation links. Due to a lack of input validation and property allowlisting, an attacker can intercept and modify the HTTP request, injecting a role property with a value of admin. This effectively grants the attacker administrative privileges within the application. Successful exploitation allows for unauthorized access to sensitive data, modification of system configurations, and potentially complete control over the Anything LLM instance. The impact is particularly severe given the potential for privilege escalation and the ability to bypass standard authentication mechanisms. This vulnerability shares similarities with other mass assignment flaws where insufficient input sanitization leads to unauthorized privilege assignment.
CVE-2024-0404 was publicly disclosed on April 16, 2024. There is currently no indication of active exploitation in the wild, but the availability of a public repository and the ease of exploitation make it a potential target. The CVSS score of 9.1 (CRITICAL) reflects the high severity of the vulnerability. No KEV listing is currently available. Public proof-of-concept code is likely to emerge given the vulnerability's nature.
Organizations deploying Anything LLM in production environments, particularly those relying on invitation-based account creation, are at risk. Shared hosting environments where multiple users share the same instance of Anything LLM are also particularly vulnerable, as a compromised account could potentially impact other users.
• nodejs / server:
# Check for suspicious account creation requests in access logs
grep 'POST /api/invite/:code' access.log | grep 'role=admin'• nodejs / server:
# Monitor for unexpected properties in request bodies using a logging framework
# (Example: Winston, Bunyan)
# Log requests to /api/invite/:code and inspect for the presence of 'role' propertydisclosure
Exploit Status
EPSS
0.25% (48% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-0404 is to upgrade to version 1.0.0 or later of Anything LLM, which includes the necessary input validation and property allowlisting to prevent the mass assignment vulnerability. If upgrading immediately is not feasible, consider implementing a temporary workaround by carefully scrutinizing all incoming requests to the /api/invite/:code endpoint. Implement strict input validation to ensure that the role property is not present in the request body and that any other unexpected properties are rejected. Consider using a Web Application Firewall (WAF) to filter out malicious requests containing suspicious properties. Monitor application logs for any unusual account creation attempts or modifications to user roles.
Actualice Anything LLM a la versión 1.0.0 o posterior. Esta versión contiene una corrección para la vulnerabilidad de asignación masiva. La actualización evitará la creación no autorizada de cuentas con privilegios elevados.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-0404 is a critical vulnerability in Anything LLM versions ≤1.0.0 that allows attackers to create admin accounts by manipulating the /api/invite/:code endpoint, bypassing access controls.
Yes, if you are using Anything LLM version 1.0.0 or earlier, you are vulnerable to this mass assignment vulnerability.
Upgrade to version 1.0.0 or later of Anything LLM. This version includes input validation to prevent the vulnerability.
There is currently no confirmed active exploitation, but the ease of exploitation makes it a potential target.
Refer to the mintplex-labs/anything-llm repository on GitHub for updates and advisories related to CVE-2024-0404.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.