CVE-2024-4284 - Vulnerability Details - OpenCVE

A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mintplexlabs	Anythingllm

Configuration 1 [-]

cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789
https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552

History

Thu, 10 Jul 2025 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mintplexlabs Mintplexlabs anythingllm
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:mintplexlabs:anythingllm::::::::
Vendors & Products		Mintplexlabs Mintplexlabs anythingllm

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-05-19T22:23:48.278Z

Updated: 2024-08-01T20:33:53.194Z

Reserved: 2024-04-26T23:07:28.737Z

Link: CVE-2024-4284

Vulnrichment

Updated: 2024-08-01T20:33:53.194Z

NVD

Status : Analyzed

Published: 2024-05-19T23:15:06.960

Modified: 2025-07-10T16:14:58.460

Link: CVE-2024-4284

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-4284", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-04-26T23:07:28.737Z", "datePublished": "2024-05-19T22:23:48.278Z", "dateUpdated": "2024-08-01T20:33:53.194Z"}, "containers": {"cna": {"title": "Denial of Service in mintplex-labs/anything-llm", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-05-19T22:23:48.278Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software."}], "affected": [{"vendor": "mintplex-labs", "product": "mintplex-labs/anything-llm", "versions": [{"version": "unspecified", "lessThan": "1.0.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552"}, {"url": "https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption", "cweId": "CWE-400"}]}], "source": {"advisory": "a5f45596-0aef-49e0-9f7d-63f1955a1552", "discovery": "EXTERNAL"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4284", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-20T14:28:42.358377Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:55:29.452Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:33:53.194Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552", "tags": ["x_transferred"]}, {"url": "https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552", "tags": ["x_transferred"]}, {"url": "https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:33:53.194Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4284", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-20T14:28:42.358377Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-31T18:42:20.735Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Denial of Service in mintplex-labs/anything-llm", "source": {"advisory": "a5f45596-0aef-49e0-9f7d-63f1955a1552", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "mintplex-labs", "product": "mintplex-labs/anything-llm", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "1.0.0", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552"}, {"url": "https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789"}], "descriptions": [{"lang": "en", "value": "A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-05-19T22:23:48.278Z"}}}, "cveMetadata": {"cveId": "CVE-2024-4284", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:33:53.194Z", "dateReserved": "2024-04-26T23:07:28.737Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-05-19T22:23:48.278Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D667E32-5A5C-479C-BB81-47F3BCA38C13", "versionEndExcluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software."}, {"lang": "es", "value": "Una vulnerabilidad en mintplex-labs/anything-llm permite una condici\u00f3n de denegaci\u00f3n de servicio (DoS) mediante la modificaci\u00f3n del atributo `id` de un usuario a un valor de 0. Este problema afecta la versi\u00f3n actual del software, con la \u00faltima confirmaci\u00f3n identificaci\u00f3n `57984fa85c31988b2eff429adfc654c46e0c342a`. Al explotar esta vulnerabilidad, un atacante, con privilegios de administrador o administrador, puede hacer que la cuenta elegida sea completamente inaccesible. El mecanismo de la aplicaci\u00f3n para suspender cuentas no proporciona un medio para revertir esta condici\u00f3n a trav\u00e9s de la interfaz de usuario, lo que genera un consumo descontrolado de recursos. La vulnerabilidad se introduce debido a la falta de validaci\u00f3n y desinfecci\u00f3n de entradas en el endpoint de modificaci\u00f3n del usuario y la l\u00f3gica de validaci\u00f3n del token del middleware. Este problema se solucion\u00f3 en la versi\u00f3n 1.0.0 del software."}], "id": "CVE-2024-4284", "lastModified": "2025-07-10T16:14:58.460", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-05-19T23:15:06.960", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789"}, {"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "[email protected]", "type": "Primary"}]}