CVE-2024-5213

Published: Jun 20, 2024Modified: Oct 15, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.

Affected (1)

Products: Mintplexlabs: Anythingllm

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mintplexlabs Anythingllm	Up to 1.5.3

Related CWEs

Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

References (4)

https://github.com/mintplex-labs/anything-llm/commit/9df4521113ddb9a3adb5d0e3941e7d494992629c

Source: security@huntr.dev

Patch

https://huntr.com/bounties/8794fb65-50aa-40e3-b348-a29838dbf63d

Source: security@huntr.dev

ExploitThird Party Advisory

https://github.com/mintplex-labs/anything-llm/commit/9df4521113ddb9a3adb5d0e3941e7d494992629c

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://huntr.com/bounties/8794fb65-50aa-40e3-b348-a29838dbf63d

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.