The vulnerability arises from the application's handling of user objects during login (POST /api/request-token) and account creation (POST /api/admin/users/new). Specifically, the server includes the entire user object in the response, which inadvertently exposes the bcrypt password hash to the client-side. Although bcrypt is a robust hashing algorithm, exposing password hashes poses a significant security risk. It could potentially allow attackers to perform offline brute-force or dictionary attacks, especially if the hash is weak or if the attacker has access to significant computational resources.

An attacker could exploit this vulnerability by intercepting the API response during the login or account creation process. This could be achieved through a man-in-the-middle (MITM) attack or by compromising the client's environment. Once the attacker has access to the password hash, they could attempt to crack it offline. Successful exploitation would depend on the complexity of the user's password and the attacker's computational resources.

Users of mintplex-labs/anything-llm version 1.5.3 are affected by this vulnerability. Specifically, users who login or create an account are at risk, as their password hashes could be exposed to attackers intercepting the API responses.