Sightline

Medium

anything-llm

DOS via Invalid Upload Request

A vulnerability in the `upload-link` endpoint of AnythingLLM allows for a Denial of Service (DOS) by shutting down the server when an invalid upload request is sent. This issue affects the latest version prior to 1.0.0, which contains the patch.

Available publicly on Jun 19 2024 | Available with Premium on May 22 2024

CVE:

CVE-2024-5208

CWE:

400:Uncontrolled Resource Consumption

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Credit:

sev-hack

Assess Detect

Premium

Remediate

Remediation Steps

Update AnythingLLM to version 1.0.0 or later.
Ensure input validation is properly implemented for all endpoints, especially those handling file uploads.
Regularly audit and test application endpoints for similar vulnerabilities.
Consider implementing rate limiting and anomaly detection mechanisms to identify and mitigate potential DOS attacks.

Patch Details

Fixed Version: 1.0.0
Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/e2439c6d4c3cfdacd96cd1b7b92d1f89c3cc8459

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 433- related security advisories that are available with Sightline Premium.