CVE-2024-13059

Name of the Vulnerable Software and Affected Versions mintplex-labs/anything-llm versions prior to 1.3.1

Description A vulnerability in mintplex-labs/anything-llm allows for path traversal due to improper handling of non-ASCII filenames in the multer library. This can lead to arbitrary file write, which can subsequently result in remote code execution. The issue arises when the filename transformation introduces '../' sequences, which are not sanitized by multer, allowing attackers with manager or admin roles to write files to arbitrary locations on the server.

Recommendations For versions prior to 1.3.1, update to version 1.3.1 to secure systems. As a temporary workaround, consider restricting access to the multer library or disabling the filename transformation function to minimize the risk of exploitation. Avoid using non-ASCII filenames until the issue is resolved.