CVE-2024-3150
📋 TL;DR
This vulnerability allows users with Default or Manager roles in mintplex-labs/anything-llm to escalate their privileges to Administrator by exploiting improper input validation in the thread update endpoint. Attackers can craft malicious Prisma queries to modify user roles, granting them full system access. All deployments using vulnerable versions are affected.
💻 Affected Systems
- mintplex-labs/anything-llm
📦 What is this software?
Anythingllm by Mintplexlabs
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers gain administrative privileges, allowing them to access all data, modify configurations, and potentially execute arbitrary code.
Likely Case
Privilege escalation leading to unauthorized administrative access, data exfiltration, and system manipulation by authenticated users with lower privileges.
If Mitigated
Limited impact with proper input validation and role-based access controls preventing unauthorized privilege changes.
🎯 Exploit Status
Exploitation requires authenticated access with Default or Manager role. Public proof-of-concept exists in the referenced bounty report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 200bd7f0615347ed2efc07903d510e5a208b0afc
Vendor Advisory: https://github.com/mintplex-labs/anything-llm/commit/200bd7f0615347ed2efc07903d510e5a208b0afc
Restart Required: Yes
Instructions:
1. Update to the latest version containing commit 200bd7f0615347ed2efc07903d510e5a208b0afc. 2. Restart the application. 3. Verify the fix by testing privilege escalation attempts.
🔧 Temporary Workarounds
Disable thread update endpoint
allTemporarily block access to the vulnerable endpoint /workspace/:slug/thread/:threadSlug/update
Configure web server or firewall to block POST requests to /workspace/*/thread/*/update
Restrict user roles
allTemporarily remove Default and Manager role users or restrict their access
Review and modify user role assignments in the application
🧯 If You Can't Patch
- Implement strict input validation at the application layer for all user-controlled data
- Add additional authorization checks before processing thread update operations
🔍 How to Verify
Check if Vulnerable:
Check if your version is before commit 200bd7f0615347ed2efc07903d510e5a208b0afc by examining the git history or version metadata.Check Version:
git log --oneline -1Verify Fix Applied:
Attempt to reproduce the privilege escalation using the known exploit technique after applying the patch.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /workspace/*/thread/*/update with suspicious parameters
- User role change events from non-admin users
- Multiple failed privilege escalation attempts
Network Indicators:
- HTTP POST requests to thread update endpoint with Prisma query parameters
- Unusual traffic patterns from authenticated users
SIEM Query:
source="application.log" AND (uri_path="/workspace/*/thread/*/update" AND http_method="POST") AND (message="role change" OR message="privilege escalation")🔗 References
- https://github.com/mintplex-labs/anything-llm/commit/200bd7f0615347ed2efc07903d510e5a208b0afc
- https://huntr.com/bounties/745f5c80-14ea-4055-9f15-a066ae93e5a3
- https://github.com/mintplex-labs/anything-llm/commit/200bd7f0615347ed2efc07903d510e5a208b0afc
- https://huntr.com/bounties/745f5c80-14ea-4055-9f15-a066ae93e5a3
