CVE-2024-0763

HIGH

AnythingLLM < 1.0.0 - Authenticated Path Traversal and Arbitrary Folder Deletion

Title source: llm

Description

Any user can delete an arbitrary folder (recursively) on a remote server due to bad input sanitization leading to path traversal. The attacker would need access to the server at some privilege level since this endpoint is protected and requires authorization.

References (2)

Core 2

Core References

Patch

https://github.com/mintplex-labs/anything-llm/commit/8a7324d0e77a15186e1ad5e5119fca4fb224c39c

View Patch ZIP pw:eip

Exploit

https://huntr.com/bounties/25a2f487-5a9c-4c7f-a2d3-b0527db73ea5

Scores

CVSS v3 8.1

EPSS 0.0090

EPSS Percentile 54.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (1)

mintplexlabs/anythingllm < 1.0.0

Published Feb 27, 2024

Tracked Since Feb 18, 2026