CVE-2024-5208
MEDIUMMintplexlabs Anythingllm < 1.0.0 - Resource Allocation Without Limits
Title source: ruleDescription
An uncontrolled resource consumption vulnerability exists in the `upload-link` endpoint of mintplex-labs/anything-llm. This vulnerability allows attackers to cause a denial of service (DOS) by shutting down the server through sending invalid upload requests. Specifically, the server can be made to shut down by sending an empty body with a 'Content-Length: 0' header or by sending a body with arbitrary content, such as 'asdasdasd', with a 'Content-Length: 9' header. The vulnerability is reproducible by users with at least a 'Manager' role, sending a crafted request to any workspace. This issue indicates that a previous fix was not effective in mitigating the vulnerability.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/6c8bdfa1-ec56-4b02-bde9-cfc27470e6ca
Scores
CVSS v3
6.5
EPSS
0.0012
EPSS Percentile
30.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (1)
mintplexlabs/anythingllm
< 1.0.0
Published
Jun 19, 2024
Tracked Since
Feb 18, 2026