CVE-2024-10109

Published: Mar 20, 2025Modified: Jul 11, 2025

8.3

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H

Exploitability: 2.8 / Impact: 5.5

Source: security@huntr.dev (Secondary)

Description

A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API endpoint "/api/system/custom-models". This access enables them to modify the model's API key and base path, leading to potential API key leakage and denial of service on chats.

Affected (1)

Products: Mintplexlabs: Anythingllm

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mintplexlabs Anythingllm	Before 1.3.1

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

https://github.com/mintplex-labs/anything-llm/commit/8d302c3f670c582b09d47e96132c248101447a11

Source: security@huntr.dev

Patch

https://huntr.com/bounties/ad3c9e76-679d-4775-b203-96947ff73551

Source: security@huntr.dev

ExploitThird Party Advisory

Timeline

No history available yet.