DOS via Invalid Upload Request
A vulnerability in the `upload-link` endpoint of AnythingLLM allows for a Denial of Service (DOS) by shutting down the server when an invalid upload request is sent. This issue affects the latest version prior to 1.0.0, which contains the patch.
Available publicly on Jun 19 2024 | Available with Premium on May 22 2024
Threat Overview
The vulnerability stems from improper handling of upload requests in the upload-link endpoint. By sending a request with either an empty body and a 'Content-Length: 0' header or a non-empty body with a mismatched 'Content-Length' value, an attacker can cause the server to shut down. This indicates a failure in the application to properly validate and handle incoming data, leading to uncontrolled resource consumption and ultimately, a DOS condition.
Attack Scenario
An attacker, after obtaining at least a 'Manager' role within the application, sends a specially crafted request to the upload-link endpoint. This request either contains an empty body with a 'Content-Length: 0' header or a non-empty body with a 'Content-Length' header value that does not match the actual size of the body. The server, unable to properly process this request, shuts down, resulting in a denial of service for all legitimate users.
Who is affected
All users of the AnythingLLM application prior to version 1.0.0 are affected by this vulnerability, as it allows an attacker with sufficient privileges to shut down the server, denying service to legitimate users.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.