CVE-2024-3166

CRITICAL

AnythingLLM Desktop < 1.4.2 - Stored Cross-Site Scripting and Remote Code Execution via Website Content Embedding

Title source: llm

Description

A Cross-Site Scripting (XSS) vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. The vulnerability arises from the application's feature to fetch and embed content from websites into workspaces, which can be exploited to execute arbitrary JavaScript code. In the desktop application, this flaw can be escalated to Remote Code Execution (RCE) due to insecure application settings, specifically the enabling of 'nodeIntegration' and the disabling of 'contextIsolation' in Electron's webPreferences. The issue has been addressed in version 1.4.2 of the desktop application.

References (2)

Core 2

Core References

Patch

https://github.com/mintplex-labs/anything-llm/commit/fa27103d032c58904c49b92ee13fabc19a20a5ce

View Patch ZIP pw:eip

Exploit, Third Party Advisory

https://huntr.com/bounties/af288bd3-8824-4216-a294-ae9fb444e5db

Scores

CVSS v3 9.6

EPSS 0.0096

EPSS Percentile 56.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

mintplex-labs/mintplex-labs/anything-llm unspecified - 1.4.2

mintplexlabs/anythingllm_desktop < 1.4.2

mintplexlabs/anythingllm_webapp < 1.2.0

Published Jun 06, 2024

Tracked Since Feb 18, 2026