CVE-2024-4284

Name of the Vulnerable Software and Affected Versions mintplex-labs/anything-llm versions prior to 1.0.0

Description A denial of service (DoS) condition can be triggered through the modification of a user's id attribute to a value of 0. This can render a chosen account completely inaccessible, leading to uncontrolled resource consumption. The issue is due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. An attacker with manager or admin privileges can exploit this issue.

Recommendations For versions prior to 1.0.0, update to version 1.0.0 to address the issue. As a temporary workaround, consider restricting access to the user modification endpoint to minimize the risk of exploitation. Additionally, avoid using the id attribute with a value of 0 in the affected endpoint until the issue is resolved.