CVE-2024-10109
NONE EPSS 38.3%
Published Mar 20, 20251y ago · Modified Jun 17, 20261w ago
Published Mar 20, 2025 1y ago
Last Modified Jun 17, 2026 1w ago
Description
A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API endpoint "/api/system/custom-models". This access enables them to modify the model's API key and base path, leading to potential API key leakage and denial of service on chats.
Threat Intelligence
EPSS Exploit Probability
38.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-863 Incorrect Authorization Authorization
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| mintplexlabs | anythingllm | * | <1.3.1 |
References 2
- github.com https://github.com/mintplex-labs/anything-llm/commit/8d302c3f670c582b09d47e96132c248101447a11
- huntr.com https://huntr.com/bounties/ad3c9e76-679d-4775-b203-96947ff73551
Remediation
- github.com https://github.com/mintplex-labs/anything-llm/commit/8d302c3f670c582b09d47e96132c248101447a11