CVE-2024-8196 – The Anything-LLM desktop application for Window... (How to Fix)

Q: What is the severity of CVE-2024-8196?

CVE-2024-8196 has a CVSS score of 9.8 (CRITICAL). The Anything-LLM desktop application for Windows opens port 3001 on all network interfaces (0.0.0.0) without authentication by default. This allows attackers on the same network to gain full backend access, enabling them to delete all workspace data. Users running version 1.5.11 of the Windows desktop edition are affected.

📋 TL;DR

The Anything-LLM desktop application for Windows opens port 3001 on all network interfaces (0.0.0.0) without authentication by default. This allows attackers on the same network to gain full backend access, enabling them to delete all workspace data. Users running version 1.5.11 of the Windows desktop edition are affected.

💻 Affected Systems

Products:

mintplex-labs/anything-llm

Versions: v1.5.11 desktop version

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Windows desktop edition. The web/cloud versions may have different configurations.

📦 What is this software?

Anythingllm Desktop by Mintplexlabs

View all CVEs affecting Anythingllm Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete data loss through workspace deletion, potential data exfiltration, and system compromise if the application has elevated privileges.

🟠

Likely Case

Unauthorized access leading to data deletion or manipulation of the LLM workspace.

🟢

If Mitigated

Limited to local network attacks if proper network segmentation is in place.

🌐 Internet-Facing: HIGH - The service binds to 0.0.0.0, making it accessible from any network interface including internet-facing ones.

🏢 Internal Only: HIGH - Even on internal networks, any user or compromised system can access the unauthenticated service.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only network access to port 3001 - no authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 9bfe477f10b188bfe3508ac29105df80d4522ece

Vendor Advisory: https://github.com/mintplex-labs/anything-llm/commit/9bfe477f10b188bfe3508ac29105df80d4522ece

Restart Required: Yes

Instructions:

1. Update to the latest version of Anything-LLM. 2. Restart the application. 3. Verify port 3001 is no longer bound to 0.0.0.0 or has authentication enabled.

🔧 Temporary Workarounds

Windows Firewall Block

windows

Block incoming connections to port 3001 using Windows Firewall

netsh advfirewall firewall add rule name="Block Anything-LLM Port" dir=in action=block protocol=TCP localport=3001

Change Binding Address

windows

Configure the application to bind only to localhost (127.0.0.1)

Modify application configuration to set bind address to 127.0.0.1

🧯 If You Can't Patch

Implement strict network segmentation to isolate the system from untrusted networks
Deploy host-based firewall rules to restrict access to port 3001 to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Run 'netstat -an | findstr :3001' on Windows. If it shows 0.0.0.0:3001 LISTENING, the system is vulnerable.

Check Version:

Check application version in the About section or application settings

Verify Fix Applied:

After update, run 'netstat -an | findstr :3001'. Should show 127.0.0.1:3001 or no listening on port 3001.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to port 3001
Unexpected data deletion or modification events

Network Indicators:

Unexpected connections to TCP port 3001 from unauthorized sources
Traffic patterns indicating data exfiltration

SIEM Query:

destination_port=3001 AND (source_ip NOT IN [trusted_ips])

📊 Metadata

CVE ID: CVE-2024-8196

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

EPSS Score: 0.2% exploit probability (41.4th percentile)

Published: March 20, 2025

Last Updated: July 15, 2025

🔗 References

https://github.com/mintplex-labs/anything-llm/commit/9bfe477f10b188bfe3508ac29105df80d4522ece Patch
https://huntr.com/bounties/dbde1c71-7aa5-46f6-847a-d89793cf97a9 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8196, you might also want to check these: