SSRF Exploit via Upload Link Feature Allowing Arbitrary File Deletion and LFI
A Server-Side Request Forgery (SSRF) vulnerability in the upload link feature of mintplex-labs/anything-llm allows attackers with manager or admin roles to interact with internal applications, including the Collector API, leading to arbitrary file deletion and limited Local File Inclusion (LFI). This issue affects the latest version prior to 1.0.0, which contains the patch.
Available publicly on May 19 2024 | Available with Premium on Apr 01 2024
Remediation Steps
- Update to version 1.0.0 or later to patch the vulnerability.
- Review and sanitize all user inputs, especially URLs, to prevent SSRF attacks.
- Implement strict access controls and network segmentation to limit the impact of potential SSRF attacks.
- Regularly audit and monitor internal APIs for vulnerabilities and ensure they are not accessible from unauthorized contexts.
- Educate users with upload capabilities about the risks of SSRF and safe handling of external links.
Patch Details
- Fixed Version: 1.0.0
- Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/f4088d9348fa86dcebe9f97a18d39c0a6e92f15e
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.