CVE-2024-0549
Published: 16 April 2024
Summary
CVE-2024-0549 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Mintplexlabs Anythingllm. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 48.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Data-Related Vulnerabilities risk domain; MITRE ATLAS techniques in scope: External Harms (AML.T0048).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-16342
Vulnerability details
mintplex-labs/anything-llm is vulnerable to a relative path traversal attack, allowing unauthorized attackers with a default role account to delete files and folders within the filesystem, including critical database files such as 'anythingllm.db'. The vulnerability stems from insufficient input validation and…
more
normalization in the handling of file and folder deletion requests. Successful exploitation results in the compromise of data integrity and availability.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Data-Related Vulnerabilities
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- mintplex-labs/anything-llm is an open-source platform for multi-user LLM applications, enabling document chatting and AI assistant features, fitting the Enterprise AI Assistants category. The vulnerability is a path traversal in its file/folder deletion functionality.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Relative path traversal allows unauthorized file and folder deletion, including critical databases, enabling indicator removal via file deletion (T1070.004), general file deletion for disruption (T1107), data destruction (T1485), and disk content wipe (T1561.001).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.