CVE-2024-0759 – This vulnerability in AnythingLLM allows authen... (How to Fix)

📋 TL;DR

This vulnerability in AnythingLLM allows authenticated users with manager or admin permissions to discover and potentially access other internal services on the same network through link scraping. It affects organizations hosting AnythingLLM internally where attackers have compromised privileged accounts. The risk is limited to internal network reconnaissance and potential lateral movement.

💻 Affected Systems

Products:

AnythingLLM

Versions: Versions before commit 0db6c3b2aa1787a7054ffdaba975474f122c20eb

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances hosted on internal networks with privileged users (manager/admin).

📦 What is this software?

Anythingllm by Mintplexlabs

View all CVEs affecting Anythingllm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker discovers and accesses unprotected internal services, leading to data exfiltration, credential theft, or further network compromise.

🟠

Likely Case

Internal network reconnaissance revealing service IPs and potential access to poorly secured internal services.

🟢

If Mitigated

Limited to discovery of internal IPs without actual access due to proper network segmentation and service authentication.

🌐 Internet-Facing: LOW - Vulnerability requires internal network access and authenticated privileged user.

🏢 Internal Only: HIGH - Exploitable by compromised privileged users on internal networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires privileged account compromise and internal network access. IP guessing/brute-forcing needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 0db6c3b2aa1787a7054ffdaba975474f122c20eb

Vendor Advisory: https://github.com/mintplex-labs/anything-llm/commit/0db6c3b2aa1787a7054ffdaba975474f122c20eb

Restart Required: Yes

Instructions:

1. Update AnythingLLM to version containing commit 0db6c3b2aa1787a7054ffdaba975474f122c20eb
2. Restart the AnythingLLM service
3. Verify the fix by testing link scraping functionality

🔧 Temporary Workarounds

Restrict privileged access

all

Limit manager/admin permissions to trusted users only and implement strong authentication.

Network segmentation

all

Isolate AnythingLLM from other internal services using network segmentation or firewalls.

🧯 If You Can't Patch

Implement strict access controls for manager/admin roles and monitor privileged user activity
Segment network to prevent AnythingLLM from accessing other internal services

🔍 How to Verify

Check if Vulnerable:

Check if your AnythingLLM version predates commit 0db6c3b2aa1787a7054ffdaba975474f122c20eb and test if authenticated users can scrape internal IPs via link collector.

Check Version:

Check git commit history or version metadata in AnythingLLM installation

Verify Fix Applied:

After update, test that authenticated users cannot use link collector to access internal IP addresses.

📡 Detection & Monitoring

Log Indicators:

Unusual link scraping activity by privileged users
Multiple failed attempts to access internal IPs

Network Indicators:

Unusual outbound connections from AnythingLLM to internal IP ranges
Port scanning patterns from AnythingLLM host

SIEM Query:

source="anythingllm" AND (event="link_scrape" OR event="url_collect") AND (dest_ip=10.* OR dest_ip=172.16.* OR dest_ip=192.168.*)

📊 Metadata

CVE ID: CVE-2024-0759

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-918

Published: February 27, 2024

Last Updated: March 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0759, you might also want to check these: