Exposure of User Password Hash in API Responses
A vulnerability in mintplex-labs/anything-llm version 1.5.3 allows the exposure of user password hashes in API responses. This issue was patched in version 1.0.0. The vulnerability occurs during login and account creation processes, where the server returns the entire user object, including the bcrypt password hash, in the response.
Available publicly on Jun 20 2024 | Available with Premium on May 22 2024
Remediation Steps
- Upgrade to version 1.0.0 or later to patch the vulnerability.
- Implement proper data sanitization before sending responses to ensure sensitive information, such as password hashes, is not included.
- Use Data Transfer Objects (DTOs) to explicitly define the data structure returned in responses, avoiding the exposure of sensitive information.
- Regularly review and audit code to identify and mitigate similar vulnerabilities.
Patch Details
- Fixed Version: 1.0.0
- Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/9df4521113ddb9a3adb5d0e3941e7d494992629c
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.