Home > Vulnerability Database > CVE-2024-13059

Mend.io Vulnerability Database

CVE-2024-13059

Date: February 10, 2025

A vulnerability in mintplex-labs/anything-llm prior to version 1.3.1 allows for path traversal due to improper handling of non-ASCII filenames in the multer library. This vulnerability can lead to arbitrary file write, which can subsequently result in remote code execution. The issue arises when the filename transformation introduces '../' sequences, which are not sanitized by multer, allowing attackers with manager or admin roles to write files to arbitrary locations on the server.

Severity Score

7.2

Related Resources (4)

Url: https://huntr.com/bounties/92a875fe-c5b3-485c-b03f-d3185189e0b1

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-13059

Url: https://github.com/mintplex-labs/anything-llm/commit/0b7bf68f2c02ca68075970fbf85d5a70ca5e94ca

Url: https://www.mend.io/vulnerability-database/CVE-2024-13059

Severity Score

7.2

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Path Traversal: '..filename'

CWE-29

CVSS v3.1

Base Score:	7.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-13059

Date: February 10, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?