CVE-2024-8251

Name of the Vulnerable Software and Affected Versions mintplex-labs/anything-llm versions prior to 1.2.2

Description A vulnerability exists in the API endpoint "/embed/:embedId/stream-chat" where user-provided JSON is directly taken to the Prisma library's where clause. An attacker can exploit this by providing a specially crafted JSON object, such as {"sessionId":{"not":"a"}}, causing Prisma to return all data from the table. This can lead to unauthorized access to all user queries in embedded chat mode.

Recommendations For versions prior to 1.2.2, update to version 1.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/embed/:embedId/stream-chat" API endpoint until a patch is available. Avoid using user-provided JSON in the Prisma library's where clause to minimize the risk of exploitation.