SSRF Vulnerability Allowing Access to Internal Networks
A Server-Side Request Forgery (SSRF) vulnerability in Anything-LLM allows attackers to access internal network addresses. This issue affects the latest version of Anything-LLM before it was patched in version 1.0.0. Attackers can exploit this vulnerability by sending a specially crafted request to the application.
Available publicly on Feb 27 2024 | Available with Premium on Jan 19 2024
Remediation Steps
- Update the 'anything-llm' application to version 1.0.0 or later.
- Implement network-level controls to block outbound requests from servers to known private IP address ranges.
- Review and sanitize all user inputs, especially those that are used in network requests, to prevent SSRF attacks.
- Regularly audit and test endpoints for SSRF vulnerabilities.
Patch Details
- Fixed Version: 1.0.0
- Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/0db6c3b2aa1787a7054ffdaba975474f122c20eb
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.