CVE-2025-63390 — MEDIUM (5.3)

Vulnerability Description

An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Exposed data includes: workspace identifiers (id, name, slug), AI model configurations (chatProvider, chatModel, agentProvider), system prompts (openAiPrompt), operational parameters (temperature, history length, similarity thresholds), vector search settings, chat modes, and timestamps.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Mintplexlabs	Anythingllm	1.8.5

Related Weaknesses (CWE)

CWE-306

References

https://gist.github.com/Cristliu/0897bceac5fdc2d945304b5087a84f14
https://gist.github.com/Cristliu/ba529c99abec87102e5ef36435d02a6dThird Party Advisory
https://github.com/Mintplex-Labs/anything-llm/issuesIssue Tracking

FAQ

What is CVE-2025-63390?

CVE-2025-63390 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote a...

How severe is CVE-2025-63390?

CVE-2025-63390 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-63390?

Check the references section above for vendor advisories and patch information. Affected products include: Mintplexlabs Anythingllm.