Description

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.

INFO

Published Date :

2024-06-20T02:15:33.551Z

Last Modified :

2025-10-15T12:50:26.179Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-5213 vulnerability.

Vendors Products
Mintplexlabs
  • Anythingllm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-5213.

URL Resource
https://github.com/mintplex-labs/anything-llm/commit/9df4521113ddb9a3adb5d0e3941e7d494992629c cve-icon cve-icon cve-icon
https://huntr.com/bounties/8794fb65-50aa-40e3-b348-a29838dbf63d cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact