We use cookies to improve your experience on our site.
AVID-2026-R0006
Description
Path Traversal in mintplex-labs/anything-llm (CVE-2024-10513)
Details
A path traversal vulnerability exists in the ‘document uploads manager’ feature of mintplex-labs/anything-llm, affecting the latest version prior to 1.2.2. This vulnerability allows users with the ‘manager’ role to access and manipulate the ‘anythingllm.db’ database file. By exploiting the vulnerable endpoint ‘/api/document/move-files’, an attacker can move the database file to a publicly accessible directory, download it, and subsequently delete it. This can lead to unauthorized access to sensitive data, privilege escalation, and potential data loss.
References
- NVD entry
- https://huntr.com/bounties/ad11cecf-161a-4fb1-986f-6f88272cbb9e
- https://github.com/mintplex-labs/anything-llm/commit/47a5c7126c20e2277ee56e2c7ee11990886a40a7
Affected or Relevant Artifacts
- Developer: mintplex-labs
- Deployer: mintplex-labs
- Artifact Details:
| Type | Name |
|---|---|
| System | mintplex-labs/anything-llm |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Base Score | 7.2 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🔴 High |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-23 | CWE-23 Relative Path Traversal |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-03-20
- Version: 0.3.1
- AVID Entry