Unauthenticated Denial of Service (DOS) attack in AnythingLLM

CVE-2024-22422

What is CVE-2024-22422?

The AnythingLLM application, developed by Mintplex Labs, contains a vulnerability that allows attackers to exploit an unauthenticated API route specifically the 'data-export' endpoint. This endpoint is designed to facilitate the export of files by taking user input for the filename parameter. Unfortunately, the input filtering mechanism can be bypassed, enabling the attacker to manipulate the system into targeting the current directory. Consequently, when the application tries to delete the file as part of its operation, the server crashes due to a lack of error-handling mechanisms. This vulnerability poses a significant risk, as an attacker can initiate a Denial of Service attack on the server using just one HTTP packet, rendering the service unavailable. The issue has been resolved in the commit 08d33cfd8, and users are strongly advised to upgrade their installations to mitigate potential security risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References