CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-8248: Path Traversal in mintplex-labs/anything-llm

7.2 CVSS

Description

A vulnerability in the normalizePath function in mintplex-labs/anything-llm version git 296f041 allows for path traversal, leading to arbitrary file read and write in the storage directory. This can result in privilege escalation from manager to admin. The issue is fixed in version 1.2.2.

Classification

CVE ID: CVE-2024-8248

CVSS Base Severity: HIGH

CVSS Base Score: 7.2

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Problem Types

CWE-29 Path Traversal: '\..\filename'

Affected Products

Vendor: mintplex-labs

Product: mintplex-labs/anything-llm

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.07% (probability of being exploited)

EPSS Percentile: 22.4% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-8248
https://huntr.com/bounties/7d6c3b7a-1116-450d-b539-9c911a97537e
https://github.com/mintplex-labs/anything-llm/commit/47a5c7126c20e2277ee56e2c7ee11990886a40a7

Timeline

2025-03-20 11:40:38 UTC
CVE

Path Traversal in mintplex-labs/anything-llm