CVE-2024-13059
Published: 10 February 2025
Summary
CVE-2024-13059 is a high-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Mintplexlabs Anythingllm. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13059 is a path traversal vulnerability in mintplex-labs/anything-llm versions prior to 1.3.1. It stems from improper handling of non-ASCII filenames by the multer library, where filename transformations can introduce unsanitized '../' sequences. The flaw is tracked under CWE-29 and CWE-22 and carries a CVSS 3.0 score of 7.2.
Attackers holding manager or admin roles can supply crafted filenames during file uploads to write arbitrary files to any location on the server filesystem, enabling remote code execution.
The referenced commit 0b7bf68f2c02ca68075970fbf85d5a70ca5e94ca and the associated huntr report document the fix that was released in version 1.3.1. The EPSS score has remained at 0.6923 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51313
Vulnerability details
A vulnerability in mintplex-labs/anything-llm prior to version 1.3.1 allows for path traversal due to improper handling of non-ASCII filenames in the multer library. This vulnerability can lead to arbitrary file write, which can subsequently result in remote code execution. The…
more
issue arises when the filename transformation introduces '../' sequences, which are not sanitized by multer, allowing attackers with manager or admin roles to write files to arbitrary locations on the server.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llm
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability enables arbitrary file write leading to RCE in a public-facing web application, directly facilitating exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of incoming filenames to block path traversal sequences introduced by non-ASCII transformations in the multer library.
SI-2 ensures timely remediation of the path traversal flaw by applying vendor patches such as upgrading to Anything-LLM version 1.3.1.
SI-9 restricts file upload inputs to safe filename patterns, rejecting those with potential traversal characters like '../'.