CVE-2024-5213

Published: Jun 20, 2024

Modified: Oct 15, 2025

PUBLISHED

CVSS v3.0

5.3

MEDIUM

Description

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.

Vendor	Product	Versions
mintplex-labs	mintplex-labs/anything-llm	affected `unspecified - < 1.0.0`

Weaknesses (CWE)

CWE-201

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://huntr.com/bounties/8794fb65-50aa-40e3-b348-a29838dbf63d

https://github.com/mintplex-labs/anything-llm/commit/9df4521113ddb9a3adb5d0e3941e7d494992629c

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-5213

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References