CVE-2024-0404

Name of the Vulnerable Software and Affected Versions mintplex-labs/anything-llm repository (affected versions not specified)

Description A mass assignment vulnerability exists in the "/api/invite/:code" endpoint, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker can add a role property with admin value, thereby gaining administrative access. This issue arises due to the lack of property allowlisting and blocklisting, enabling the attacker to exploit the system and perform actions as an administrator.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the /api/invite/:code endpoint until a patch is available. Restrict access to the account creation process via invitation links to minimize the risk of exploitation. Avoid using the role property in the affected API endpoint until the issue is resolved.