CVE-2024-5216

Denial of Service in mintplex-labs/anything-llm

Description

A vulnerability in mintplex-labs/anything-llm allows for a Denial of Service (DoS) condition due to uncontrolled resource consumption. Specifically, the issue arises from the application's failure to limit the size of usernames, enabling attackers to create users with excessively bulky texts in the username field. This exploit results in the user management panel becoming unresponsive, preventing administrators from performing critical user management actions such as editing, suspending, or deleting users. The impact of this vulnerability includes administrative paralysis, compromised security, and operational disruption, as it allows malicious users to perpetuate their presence within the system indefinitely, undermines the system's security posture, and degrades overall system performance.

Category

7.5
CVSS
Severity: High
CVSS 3.0 •
EPSS 0.14%
Affected: mintplex-labs mintplex-labs/anything-llm
Published at:
Updated at:

References

Link Tags
https://huntr.com/bounties/8ec14991-ee35-493d-a8d3-21a1cfd57869
https://github.com/mintplex-labs/anything-llm/commit/3ef009de73c837f9025df8bba62572885c70c72f

Frequently Asked Questions

What is the severity of CVE-2024-5216?
CVE-2024-5216 has been scored as a high severity vulnerability.
How to fix CVE-2024-5216?
To fix CVE-2024-5216, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-5216 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-5216 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-5216?
CVE-2024-5216 affects mintplex-labs mintplex-labs/anything-llm.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.