SSRF Vulnerability
A Server-Side Request Forgery (SSRF) vulnerability was identified in mintplex-labs/anything-llm, affecting the latest version prior to 1.0.0. This vulnerability allows attackers to steal AWS metadata by fetching specific URLs. It was patched in version 1.0.0.
Available publicly on Feb 25 2024 | Available with Premium on Jan 12 2024
Remediation Steps
- Update the 'anything-llm' application to version 1.0.0 or later.
- Implement URL validation to ensure only trusted URLs are fetched.
- Restrict access to the AWS metadata service from the application level.
- Regularly audit and monitor application logs for unusual or unauthorized fetching activities.
Patch Details
- Fixed Version: 1.0.0
- Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/b2b2c2afe15c48952d57b4d01e7108f9515c5f55
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.