DoS Vulnerability in 'just me' Mode with Password
CVE-2024-3569

7.5HIGH

Key Information:

Vendor: Mintplex-labs
Status: Mintplex-labs/anything-llm
Vendor: CVE Published:; 10 April 2024

🔔 Create Mintplex-labs Vulnerability Alert

What is CVE-2024-3569?

A Denial of Service vulnerability exists within the Anything-LLM product developed by Mintplex Labs, specifically affecting its operation in 'just me' mode when secured with a password. An attacker can exploit this issue by sending a specially crafted 'Authorization:' header in requests processed by the validatedRequest middleware. This can lead to uncontrolled consumption of system resources, effectively resulting in a Denial of Service condition that disrupts availability for legitimate users.

Affected Version(s)

mintplex-labs/anything-llm < 1.0.0

References

https://huntr.com/bounties/619e13bd-b723-4727-9ccb-5099d6...

https://github.com/mintplex-labs/anything-llm/commit/efe9...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2024
Vulnerability Reserved
Apr 10, 2024