CVE-2024-3104

Name of the Vulnerable Software and Affected Versions anything-llm versions prior to 1.0.0

Description A remote code execution issue exists due to improper handling of environment variables. Attackers can exploit this by injecting arbitrary environment variables via the "POST /api/system/update-env" endpoint, allowing for the execution of arbitrary code on the host running anything-llm. Successful exploitation could lead to code execution on the host, enabling attackers to read and modify data accessible to the user running the service, potentially leading to a denial of service.

Recommendations For anything-llm versions prior to 1.0.0, update to version 1.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the "POST /api/system/update-env" endpoint until the update is applied.