CVE-2024-6842
📋 TL;DR
This vulnerability allows unauthenticated attackers to access the /setup-complete API endpoint in Anything-LLM version 1.5.5, exposing sensitive system settings including search engine API keys. Attackers can steal these keys to compromise user assets. Only users running the vulnerable version are affected.
💻 Affected Systems
- mintplex-labs/anything-llm
📦 What is this software?
Anythingllm by Mintplexlabs
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal all API keys, gain unauthorized access to integrated services, compromise user data, and cause financial loss through service abuse.
Likely Case
Attackers harvest API keys to access search engine services, potentially incurring costs for the victim and exposing sensitive search queries.
If Mitigated
With proper authentication controls, only authorized administrators can access sensitive settings, preventing key exposure.
🎯 Exploit Status
Exploitation requires only HTTP access to the vulnerable endpoint; no authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 8b1ceb30c159cf3a10efa16275bc6849d84e4ea8
Vendor Advisory: https://github.com/mintplex-labs/anything-llm/commit/8b1ceb30c159cf3a10efa16275bc6849d84e4ea8
Restart Required: No
Instructions:
1. Update to the latest version of Anything-LLM. 2. Apply the specific commit 8b1ceb30c159cf3a10efa16275bc6849d84e4ea8 if using version 1.5.5. 3. Verify the /setup-complete endpoint now requires proper authentication.
🔧 Temporary Workarounds
Block Unauthenticated Access to /setup-complete
allUse web server or firewall rules to restrict access to the vulnerable endpoint.
# Example nginx location block
location /setup-complete {
deny all;
return 403;
}
Rotate Exposed API Keys
allImmediately rotate any API keys that may have been exposed through this vulnerability.
# Access each integrated service's dashboard and generate new API keys
🧯 If You Can't Patch
- Implement network segmentation to isolate the Anything-LLM instance from the internet.
- Deploy a Web Application Firewall (WAF) with rules to block unauthorized access to sensitive endpoints.
🔍 How to Verify
Check if Vulnerable:
Send an unauthenticated HTTP GET request to /setup-complete endpoint; if it returns sensitive settings without authentication, the system is vulnerable.Check Version:
Check the application version in the web interface or configuration files; vulnerable if version is exactly 1.5.5.Verify Fix Applied:
After patching, attempt the same unauthenticated request; it should return an authentication error or 403 Forbidden.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /setup-complete endpoint from unauthenticated users
- Multiple failed authentication attempts followed by successful /setup-complete access
Network Indicators:
- HTTP GET requests to /setup-complete without authentication headers
- Traffic spikes to the endpoint from unexpected IP addresses
SIEM Query:
source="web_logs" AND uri="/setup-complete" AND NOT (user_agent="*bot*" OR user_agent="*crawler*") AND auth_status="unauthenticated"