Home » Database

AVID-2026-R1615

Description

Path Traversal in mintplex-labs/anything-llm (CVE-2024-8248)

Details

A vulnerability in the normalizePath function in mintplex-labs/anything-llm version git 296f041 allows for path traversal, leading to arbitrary file read and write in the storage directory. This can result in privilege escalation from manager to admin. The issue is fixed in version 1.2.2.

Reason for inclusion in AVID: CVE-2024-8248 describes a path traversal vulnerability in the AI-related library mintplex-labs/anything-llm, enabling arbitrary file reads/writes in the storage directory and privilege escalation. This directly concerns AI software stacks and deployment tooling, and affects components used to build/run general-purpose AI systems. The issue is within a software package (dependency) rather than hardware/firmware, and the report provides CVE details, affected version, impact, and a fix, satisfying evidence requirements for AVID curation.

References

Affected or Relevant Artifacts

  • Developer: mintplex-labs
  • Deployer: mintplex-labs
  • Artifact Details:
TypeName
Systemmintplex-labs/anything-llm

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.0
Vector StringCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score7.2
Base Severity🔴 High
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges Required🔴 High
User InteractionNONE
ScopeUNCHANGED
Confidentiality Impact🔴 High
Integrity Impact🔴 High
Availability Impact🔴 High

CWE

IDDescription
CWE-29CWE-29 Path Traversal: ‘..\filename’

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2025-03-20
  • Version: 0.3.3
  • AVID Entry