Medium

anything-llm

Exposure of User Password Hash in API Responses

A vulnerability in mintplex-labs/anything-llm version 1.5.3 allows the exposure of user password hashes in API responses. This issue was patched in version 1.0.0. The vulnerability occurs during login and account creation processes, where the server returns the entire user object, including the bcrypt password hash, in the response.

Available publicly on Jun 20 2024

5.3

CVSS:

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Credit:

acciobugs
Threat Overview

The vulnerability arises from the application's handling of user objects during login (POST /api/request-token) and account creation (POST /api/admin/users/new). Specifically, the server includes the entire user object in the response, which inadvertently exposes the bcrypt password hash to the client-side. Although bcrypt is a robust hashing algorithm, exposing password hashes poses a significant security risk. It could potentially allow attackers to perform offline brute-force or dictionary attacks, especially if the hash is weak or if the attacker has access to significant computational resources.

Attack Scenario

An attacker could exploit this vulnerability by intercepting the API response during the login or account creation process. This could be achieved through a man-in-the-middle (MITM) attack or by compromising the client's environment. Once the attacker has access to the password hash, they could attempt to crack it offline. Successful exploitation would depend on the complexity of the user's password and the attacker's computational resources.

Who is affected

Users of mintplex-labs/anything-llm version 1.5.3 are affected by this vulnerability. Specifically, users who login or create an account are at risk, as their password hashes could be exposed to attackers intercepting the API responses.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.