CVE-2024-4286

Improper Neutralization of Special Elements in mintplex-labs/anything-llm

Severity Score

4.9

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Mintplex-Labs' anything-llm application is vulnerable to improper neutralization of special elements used in an expression language statement, identified in the commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. The vulnerability arises from the application's handling of user modifications by managers or admins, allowing for the modification of all existing attributes of the `user` database entity without proper checks or sanitization. This flaw can be exploited to delete user threads, denying users access to their previously submitted data, or to inject fake threads and/or chat history for social engineering attacks.

La aplicación Any-llm de Mintplex-Labs es vulnerable a una neutralización inadecuada de elementos especiales utilizados en una declaración de lenguaje de expresión, identificada en el ID de commit `57984fa85c31988b2eff429adfc654c46e0c342a`. La vulnerabilidad surge del manejo por parte de la aplicación de las modificaciones de los usuarios por parte de los gerentes o administradores, lo que permite la modificación de todos los atributos existentes de la entidad de base de datos "usuario" sin las comprobaciones o sanitización adecuadas. Esta falla se puede explotar para eliminar hilos de usuarios, negarles el acceso a sus datos enviados previamente o para inyectar hilos falsos y/o historial de chat para ataques de ingeniería social.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-26 CVE Reserved
2024-05-26 CVE Published
2024-08-01 CVE Updated
2025-07-05 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CAPEC

References (2)

URL	Tag	Source
https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789
https://huntr.com/bounties/a72d2923-297c-455f-af90-715e83b3da2b

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mintplexlabs Search vendor "Mintplexlabs"		Anythingllm Search vendor "Mintplexlabs" for product "Anythingllm"				*		-		Affected