Summary: A critical vulnerability (CVE-2024-13059) has been identified in AnythingLLM, affecting versions prior to 1.3.1, which allows attackers to exploit improper handling of non-ASCII filenames leading to potential remote code execution. The flaw arises from the multer libraryโs inadequate sanitization of filenames, enabling directory traversal attacks. Users are advised to update to version 1.3.1 or later to mitigate this risk.
Affected: AnythingLLM < 1.3.1
Keypoints :
- Severity: Critical, CVSS Score: 9.1, Published on February 10, 2025.
- Attackers with manager or admin privileges can exploit the vulnerability through crafted file uploads.
- Mitigation includes upgrading to version 1.3.1, restricting upload access, and implementing file validation checks.