Vulnerability Description
A vulnerability in mintplex-labs/anything-llm prior to version 1.2.2 allows for Prisma injection. The issue exists in the API endpoint "/embed/:embedId/stream-chat" where user-provided JSON is directly taken to the Prisma library's where clause. An attacker can exploit this by providing a specially crafted JSON object, such as {"sessionId":{"not":"a"}}, causing Prisma to return all data from the table. This can lead to unauthorized access to all user queries in embedded chat mode.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mintplexlabs | Anythingllm | < 1.2.2 |
Related Weaknesses (CWE)
References
- https://github.com/mintplex-labs/anything-llm/commit/334fd9cdd02ad4aa6a3c9bdfc95Patch
- https://huntr.com/bounties/7c263ef1-7d50-475a-9425-b15df4e0403cExploitThird Party Advisory
FAQ
What is CVE-2024-8251?
CVE-2024-8251 is a vulnerability with a CVSS score of 5.3 (MEDIUM). A vulnerability in mintplex-labs/anything-llm prior to version 1.2.2 allows for Prisma injection. The issue exists in the API endpoint "/embed/:embedId/stream-chat" where user-provided JSON is directl...
How severe is CVE-2024-8251?
CVE-2024-8251 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-8251?
Check the references section above for vendor advisories and patch information. Affected products include: Mintplexlabs Anythingllm.