Cyber Posture

CVE-2024-6842

N/APublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
15 October 2025
KEV Added
Patch
CVSS Score N/A
EPSS Score 0.7320 98.8th percentile
Risk Priority 44 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit software vulnerabilities in an attempt to collect credentials.

Security Summary

CVE-2024-6842 is a vulnerability in version 1.5.5 of mintplex-labs/anything-llm, classified under CWE-306 (Missing Authentication for Critical Function). The issue lies in the `/setup-complete` API endpoint, which allows unauthorized users to access sensitive system settings via the `currentSettings` function. This exposure includes critical data such as API keys for search engines.

Any unauthorized user capable of reaching the `/setup-complete` endpoint can exploit the vulnerability to retrieve these sensitive settings. Successful exploitation enables attackers to steal API keys, potentially resulting in the loss of user assets tied to those credentials.

Mitigation details are provided in the project's GitHub commit at https://github.com/mintplex-labs/anything-llm/commit/8b1ceb30c159cf3a10efa16275bc6849d84e4ea8, which addresses the unauthorized access. Further information, including bounty details, is available on the Huntr page at https://huntr.com/bounties/cd911fc7-ac6b-4974-acd0-9cc926fa8d9e. Security practitioners should ensure systems are updated beyond version 1.5.5.

As an open-source LLM platform, anything-llm's exposure of search engine API keys highlights risks in AI/ML deployments handling integrated third-party services. No public evidence of real-world exploitation is noted in available data.

Details

CWE(s)
CWE-306

Affected Products

mintplexlabs
anythingllm
1.5.5

AI Security Analysis

AI Category
Enterprise AI Assistants
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
anything-llm is an open-source platform for deploying LLM-based AI assistants that handle document chatting and integrations with LLMs and search engines, fitting the Enterprise AI Assistants category. The vulnerability involves unauthorized API access leaking sensitive configuration like search engine API keys in this AI deployment tool.

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
attack.mitre.org →
Why these techniques?

The vulnerability enables unauthorized remote access to sensitive system settings via a public-facing API endpoint, exposing API keys. This maps to T1190 (Exploit Public-Facing Application) for the exploitation vector and T1212 (Exploitation for Credential Access) for obtaining credential material.

References