CVE-2024-10109

NONE EPSS 38.3%
Published Mar 20, 20251y ago · Modified Jun 17, 20261w ago
Find Similar
Published Mar 20, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API endpoint "/api/system/custom-models". This access enables them to modify the model's API key and base path, leading to potential API key leakage and denial of service on chats.

Threat Intelligence

EPSS Exploit Probability
38.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-863 Incorrect Authorization Authorization

Affected Products 1

VendorProductVersionRange
mintplexlabsanythingllm* <1.3.1

References 2

  • github.com https://github.com/mintplex-labs/anything-llm/commit/8d302c3f670c582b09d47e96132c248101447a11
    Patch
  • huntr.com https://huntr.com/bounties/ad3c9e76-679d-4775-b203-96947ff73551
    ExploitThird Party Advisory

Remediation

  • github.com https://github.com/mintplex-labs/anything-llm/commit/8d302c3f670c582b09d47e96132c248101447a11
    Patch