Path Traversal Leading to Arbitrary File Operations and DoS
A path traversal vulnerability in mintplex-labs/anything-llm allows a manager to perform arbitrary file read, delete, overwrite operations, and execute a DoS attack, including admin account takeover. This issue affects the latest version of the software and was patched in version 1.0.0.
Available publicly on Jun 12 2024 | Available with Premium on May 22 2024
Remediation Steps
- Ensure the
normalizePath()function correctly handles all types of path traversal payloads. - Implement strict path validation checks before performing any file operations.
- Limit file operations to a secure, predefined set of directories.
- Regularly update the application to the latest version to incorporate security patches.
- Conduct thorough security reviews and testing to identify and mitigate similar vulnerabilities.
Patch Details
- Fixed Version: 1.0.0
- Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/e208074ef4c240fe03e4147ab097ec3b52b97619
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.