Sightline

Medium

anything-llm

Prisma Injection via User JSON in API Endpoint

A vulnerability in the API endpoint '/embed/:embedId/stream-chat' allows for Prisma injection by directly taking user JSON input. This affects version git cc594d4 and was patched in version 1.2.2.

Available publicly on Nov 03 2024 | Available with Premium on Aug 27 2024

CVE:

CVE-2024-8251

CWE:

20:Improper Input Validation

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Credit:

oicu0619

Assess Detect

Premium

Remediate

Remediation Steps

Update to version 1.2.2 or later.
Implement proper input validation to sanitize user inputs before passing them to the Prisma query.
Add checks to ensure that only valid and expected data types are processed by the API endpoint.
Conduct thorough code reviews and security testing to identify and mitigate similar vulnerabilities.

Patch Details

Fixed Version: 1.2.2
Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/334fd9cdd02ad4aa6a3c9bdfc95e7764651c13f4

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 624- related security advisories that are available with Sightline Premium.