修复版本
1.0.1
CVE-2024-3025 is a critical path traversal vulnerability affecting versions of anything-llm up to and including 1.0.0. This vulnerability allows attackers to potentially read or delete sensitive files on the server by manipulating the logo filename. The flaw resides in the application's handling of user-supplied input for the logo filename, lacking proper validation. A fix is available in version 1.0.0.
An attacker can exploit this vulnerability by crafting malicious requests to the /api/system/upload-logo and /api/system/logo endpoints, manipulating the logo filename to include path traversal sequences (e.g., ../). This allows them to access files outside the intended upload directory. The potential impact is severe, ranging from unauthorized access to sensitive configuration files, database credentials, or even the deletion of critical system files. Successful exploitation could lead to complete compromise of the server and data exfiltration. The lack of input validation makes this vulnerability relatively easy to exploit.
This vulnerability was publicly disclosed on 2024-04-10. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 9.9 (CRITICAL) indicates a high probability of exploitation if left unaddressed. It is not currently listed on the CISA KEV catalog.
Organizations deploying anything-llm in production environments, particularly those with sensitive data stored on the server, are at significant risk. Shared hosting environments where multiple users share the same server are also vulnerable, as an attacker could potentially exploit this vulnerability to access data belonging to other users.
• nodejs / server:
grep -r "../" /var/log/nginx/access.log• nodejs / server:
journalctl -u anything-llm | grep -i "path traversal"• generic web:
Review access logs for requests to /api/system/upload-logo and /api/system/logo containing suspicious filenames.
• generic web:
Check response headers for unexpected file content types or error messages related to file access.
disclosure
漏洞利用状态
EPSS
0.23% (46% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade to version 1.0.0 of anything-llm, which includes the necessary input validation fixes. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences in the logo filename. Specifically, look for patterns like ../ or absolute paths. Additionally, restrict file upload permissions to the application user and regularly review file system access logs for suspicious activity. After upgrading, confirm the fix by attempting to upload a logo with a malicious filename (e.g., ../../../../etc/passwd) and verifying that the upload fails with an appropriate error.
Actualice a la versión 1.0.0 o posterior. Esta versión contiene una corrección para la vulnerabilidad de path traversal. La actualización evitará que atacantes manipulen el nombre del archivo del logo para acceder a archivos fuera del directorio restringido.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-3025 is a critical vulnerability in anything-llm versions up to 1.0.0 that allows attackers to read or delete files by manipulating the logo filename.
You are affected if you are using anything-llm version 1.0.0 or earlier. Upgrade to 1.0.0 to mitigate the risk.
Upgrade to version 1.0.0 of anything-llm. As a temporary workaround, implement a WAF rule to block requests with path traversal sequences in the logo filename.
As of now, there are no confirmed reports of active exploitation, but the high CVSS score indicates a significant risk.
Refer to the mintplex-labs/anything-llm repository on GitHub for updates and advisories related to CVE-2024-3025.