CVE-2024-5208 – An uncontrolled resource consumption vulnerabil... (How to Fix)

Q: What is the severity of CVE-2024-5208?

CVE-2024-5208 has a CVSS score of 6.5 (MEDIUM). An uncontrolled resource consumption vulnerability in the 'upload-link' endpoint of mintplex-labs/anything-llm allows authenticated users with Manager role or higher to cause denial of service by sending specially crafted upload requests. Attackers can shut down the server by sending empty or malformed requests with specific Content-Length headers. This affects all deployments of anything-llm with vulnerable versions.

📋 TL;DR

An uncontrolled resource consumption vulnerability in the 'upload-link' endpoint of mintplex-labs/anything-llm allows authenticated users with Manager role or higher to cause denial of service by sending specially crafted upload requests. Attackers can shut down the server by sending empty or malformed requests with specific Content-Length headers. This affects all deployments of anything-llm with vulnerable versions.

💻 Affected Systems

Products:

mintplex-labs/anything-llm

Versions: Versions prior to the fix commit e2439c6d4c3cfdacd96cd1b7b92d1f89c3cc8459

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability affects all deployments with the vulnerable endpoint enabled. Requires at least Manager role access to exploit.

📦 What is this software?

Anythingllm by Mintplexlabs

View all CVEs affecting Anythingllm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server shutdown leading to sustained denial of service, disrupting all LLM services and potentially causing data loss if unsaved work is affected.

🟠

Likely Case

Temporary service disruption requiring manual server restart, impacting productivity and availability of the anything-llm application.

🟢

If Mitigated

Minimal impact with proper authentication controls and rate limiting, though authenticated users could still cause temporary disruptions.

🌐 Internet-Facing: HIGH if exposed to internet with Manager accounts accessible, as exploitation requires only network access and valid credentials.

🏢 Internal Only: MEDIUM as it requires authenticated access, but insider threats or compromised credentials could lead to service disruption.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation details are publicly documented in bounty reports. Attack requires authenticated access with Manager privileges but uses simple HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit e2439c6d4c3cfdacd96cd1b7b92d1f89c3cc8459 and later

Vendor Advisory: https://github.com/mintplex-labs/anything-llm/commit/e2439c6d4c3cfdacd96cd1b7b92d1f89c3cc8459

Restart Required: Yes

Instructions:

1. Update to latest anything-llm version. 2. Apply commit e2439c6d4c3cfdacd96cd1b7b92d1f89c3cc8459. 3. Restart the anything-llm service. 4. Verify the fix by testing the upload-link endpoint.

🔧 Temporary Workarounds

Disable upload-link endpoint

all

Temporarily disable or restrict access to the vulnerable upload-link endpoint

# Configure web server (nginx/apache) to block /api/upload-link
# Or modify application routing to disable the endpoint

Implement rate limiting

linux

Add rate limiting to the upload-link endpoint to prevent abuse

# Using nginx: limit_req_zone $binary_remote_addr zone=uploadlimit:10m rate=1r/s;
# Then apply to location block for upload-link

🧯 If You Can't Patch

Restrict Manager role access to trusted users only
Implement network-level controls to monitor and block suspicious upload-link requests

🔍 How to Verify

Check if Vulnerable:

Send a POST request to /api/upload-link with Content-Length: 0 header and empty body using Manager credentials. If server crashes or becomes unresponsive, it's vulnerable.

Check Version:

Check git log for commit e2439c6d4c3cfdacd96cd1b7b92d1f89c3cc8459 or check package.json version if available

Verify Fix Applied:

After patching, repeat the test request. Server should return proper error response (400 Bad Request) instead of crashing.

📡 Detection & Monitoring

Log Indicators:

Multiple failed upload attempts from same user
Server crash logs following upload-link requests
Error logs showing malformed upload requests

Network Indicators:

High volume of POST requests to /api/upload-link
Requests with Content-Length: 0 or small arbitrary content
Rapid sequence of upload requests from single source

SIEM Query:

source="web_logs" AND (url_path="/api/upload-link" AND (content_length="0" OR status_code="400")) | stats count by src_ip user_agent

📊 Metadata

CVE ID: CVE-2024-5208

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: June 19, 2024

Last Updated: October 15, 2025

🔗 References

https://github.com/mintplex-labs/anything-llm/commit/e2439c6d4c3cfdacd96cd1b7b92d1f89c3cc8459 Patch
https://huntr.com/bounties/6c8bdfa1-ec56-4b02-bde9-cfc27470e6ca Exploit,Third Party Advisory
https://github.com/mintplex-labs/anything-llm/commit/e2439c6d4c3cfdacd96cd1b7b92d1f89c3cc8459 Patch
https://huntr.com/bounties/6c8bdfa1-ec56-4b02-bde9-cfc27470e6ca Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5208, you might also want to check these: