CVE-2024-0455
📋 TL;DR
This vulnerability in AnythingLLM's web scraper allows authorized users (managers, admins, or single users) to access AWS EC2 instance metadata service credentials by submitting a specific internal URL. This could enable unauthorized management of the EC2 instance where AnythingLLM is deployed. Only users with knowledge of the hosting infrastructure and proper authorization levels are affected.
💻 Affected Systems
- AnythingLLM
📦 What is this software?
Anythingllm by Mintplexlabs
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full AWS credentials for the EC2 instance, enabling them to compromise the entire cloud environment, exfiltrate data, deploy malicious resources, or incur significant financial costs.
Likely Case
Authorized but malicious users obtain temporary AWS credentials, allowing them to access and potentially modify resources associated with the EC2 instance's IAM role.
If Mitigated
With proper network controls blocking access to the instance metadata service, the vulnerability cannot be exploited even if the URL is submitted.
🎯 Exploit Status
Exploitation requires authenticated access to AnythingLLM with sufficient privileges and knowledge of AWS EC2 metadata service URLs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit b2b2c2afe15c48952d57b4d01e7108f9515c5f55 or later
Vendor Advisory: https://github.com/mintplex-labs/anything-llm/commit/b2b2c2afe15c48952d57b4d01e7108f9515c5f55
Restart Required: Yes
Instructions:
1. Update AnythingLLM to the latest version or at least commit b2b2c2afe15c48952d57b4d01e7108f9515c5f55. 2. Restart the AnythingLLM service. 3. Verify the web scraper now blocks requests to internal AWS metadata endpoints.
🔧 Temporary Workarounds
Block Instance Metadata Service Access
linuxConfigure firewall rules to prevent AnythingLLM from accessing the EC2 instance metadata service at 169.254.169.254.
sudo iptables -A OUTPUT -d 169.254.169.254 -j DROP
Restrict User Privileges
allLimit manager/admin roles to trusted users only and implement least privilege principles.
🧯 If You Can't Patch
- Implement network-level blocking of 169.254.169.254 from the AnythingLLM application using host firewall rules.
- Disable the web scraper functionality entirely if not required for business operations.
🔍 How to Verify
Check if Vulnerable:
Check if your AnythingLLM version is older than commit b2b2c2afe15c48952d57b4d01e7108f9515c5f55 and test if the web scraper can access http://169.254.169.254/latest/meta-data/.Check Version:
Check the git commit hash in your AnythingLLM installation directory or review the application version in the UI/admin panel.Verify Fix Applied:
After updating, attempt to use the web scraper on the EC2 metadata URL - it should be blocked or return an error.📡 Detection & Monitoring
Log Indicators:
- Web scraper requests to 169.254.169.254 in application logs
- Unusual AWS API calls from the EC2 instance's IP
Network Indicators:
- Outbound connections from AnythingLLM server to 169.254.169.254 on port 80/443
SIEM Query:
source="anythingllm.logs" AND (url="*169.254.169.254*" OR destination_ip="169.254.169.254")🔗 References
- https://github.com/mintplex-labs/anything-llm/commit/b2b2c2afe15c48952d57b4d01e7108f9515c5f55
- https://huntr.com/bounties/07d83b49-7ebb-40d2-83fc-78381e3c5c9c
- https://github.com/mintplex-labs/anything-llm/commit/b2b2c2afe15c48952d57b4d01e7108f9515c5f55
- https://huntr.com/bounties/07d83b49-7ebb-40d2-83fc-78381e3c5c9c
