CVE-2024-8251
📋 TL;DR
A Prisma injection vulnerability in mintplex-labs/anything-llm allows attackers to bypass access controls by sending specially crafted JSON to the /embed/:embedId/stream-chat API endpoint. This enables unauthorized access to all user queries in embedded chat mode. Anyone running anything-llm versions prior to 1.2.2 with embedded chat functionality enabled is affected.
💻 Affected Systems
- mintplex-labs/anything-llm
📦 What is this software?
Anythingllm by Mintplexlabs
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of all user queries stored in the database, potentially revealing sensitive information, conversation history, and proprietary data.
Likely Case
Unauthorized access to user chat queries and conversation data, compromising user privacy and potentially exposing confidential information.
If Mitigated
Limited exposure if proper input validation and access controls are implemented, restricting data leakage to authorized users only.
🎯 Exploit Status
Exploitation requires access to the vulnerable API endpoint but does not require authentication to the main application. The exploit technique is documented in public references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.2
Vendor Advisory: https://github.com/mintplex-labs/anything-llm/commit/334fd9cdd02ad4aa6a3c9bdfc95e7764651c13f4
Restart Required: Yes
Instructions:
1. Update to version 1.2.2 or later. 2. Restart the anything-llm service. 3. Verify the fix by checking the version and testing the vulnerable endpoint.
🔧 Temporary Workarounds
Disable embedded chat endpoint
allTemporarily disable or block access to the /embed/:embedId/stream-chat API endpoint
# Use firewall rules to block the endpoint
# Example for nginx: location ~ ^/embed/.*/stream-chat { deny all; }
Input validation middleware
allAdd input validation to sanitize JSON payloads before passing to Prisma
# Implement JSON schema validation or sanitize the 'sessionId' parameter
# Example: Validate sessionId is a string, not an object
🧯 If You Can't Patch
- Implement network segmentation to restrict access to the vulnerable API endpoint
- Deploy a web application firewall (WAF) with SQL/NoSQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check if version is below 1.2.2 and test the /embed/:embedId/stream-chat endpoint with a payload like {"sessionId":{"not":"a"}}Check Version:
Check package.json or application version endpoint if availableVerify Fix Applied:
Update to version 1.2.2 or later and verify the same payload no longer returns unauthorized data📡 Detection & Monitoring
Log Indicators:
- Unusual API requests to /embed/*/stream-chat with complex JSON objects
- Large data retrieval from chat query tables
Network Indicators:
- HTTP POST requests to embedded chat endpoints with JSON containing 'not' operators
- Abnormal response sizes from chat API calls
SIEM Query:
source="web_logs" AND uri_path="/embed/*/stream-chat" AND request_body LIKE "%not%"