Path Traversal Vulnerability in Anything-LLM by Mintplex Labs
CVE-2024-8248

7.2HIGH

Key Information:

Vendor: Mintplex-labs
Status: Mintplex-labs/anything-llm
Vendor: CVE Published:; 20 March 2025

🔔 Create Mintplex-labs Vulnerability Alert

What is CVE-2024-8248?

A vulnerability exists within the normalizePath function of the Anything-LLM application, allowing attackers to exploit path traversal techniques. This flaw enables unauthorized access to the system's file storage, facilitating arbitrary file read and write operations. Consequently, this can lead to privilege escalation, where a user with manager privileges can elevate their status to administrative access. The vulnerability has been addressed and patched in version 1.2.2 of the product.

Affected Version(s)

mintplex-labs/anything-llm < 1.2.2

References

https://huntr.com/bounties/7d6c3b7a-1116-450d-b539-9c911a...

https://github.com/mintplex-labs/anything-llm/commit/47a5...

CVSS V3.0

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Aug 27, 2024