CVE-2024-13059

N/APublic PoC

Published: 10 February 2025

Published

10 February 2025

Modified

09 July 2025

KEV Added

—

Patch

—

CVSS Score N/A

EPSS Score 0.5539 98.1th percentile

Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-13059 is a path traversal vulnerability (CWE-22, CWE-29) affecting mintplex-labs/anything-llm versions prior to 1.3.1. The issue stems from improper handling of non-ASCII filenames in the multer library, where filename transformations can introduce unsanitized '../' sequences. This enables arbitrary file writes on the server, potentially leading to remote code execution.

Attackers with manager or admin roles can exploit this vulnerability by uploading files with specially crafted non-ASCII filenames. The lack of sanitization in multer allows traversal to arbitrary server locations, enabling file overwrites or placements that facilitate remote code execution.

Mitigation involves upgrading to version 1.3.1 or later, as detailed in the project's GitHub commit fixing the issue. The vulnerability was reported via Huntr, confirming the patch addresses the filename handling flaw in multer.

This vulnerability affects Anything-LLM, an open-source tool for interacting with large language models, highlighting path traversal risks in AI/ML web applications handling file uploads. No public evidence of real-world exploitation has been reported as of the CVE publication on 2025-02-10.

Details

CWE(s): CWE-29CWE-22

Affected Products

mintplexlabs

anythingllm

≤ 1.3.1

AI Security Analysis

AI Category: Enterprise AI Assistants
Risk Domain: Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: mintplex-labs/anything-llm is an open-source AI application/platform for document chatting and RAG with LLMs, fitting the Enterprise AI Assistants category. The vulnerability is a path traversal in file upload handling (multer), reported on an AI/ML bug bounty platform.

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Path traversal vulnerability enables arbitrary file write leading to RCE in a public-facing web application, directly facilitating exploitation of public-facing applications.

References

https://github.com/mintplex-labs/anything-llm/commit/0b7bf68f2c02ca68075970fbf85d5a70ca5e94ca
Patch · security@huntr.dev
https://huntr.com/bounties/92a875fe-c5b3-485c-b03f-d3185189e0b1
Exploit, Third Party Advisory · security@huntr.dev
https://huntr.com/bounties/92a875fe-c5b3-485c-b03f-d3185189e0b1
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0