Cyber Resilience

CVE-2024-3025

CriticalPublic PoC

Published: 10 April 2024

Published
10 April 2024
Modified
09 July 2025
KEV Added
Patch
CVSS Score v3 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0023 45.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-3025 is a critical-severity Relative Path Traversal (CWE-23) vulnerability in Mintplexlabs Anythingllm. Its CVSS base score is 9.9 (Critical).

Operationally, ranked at the 45.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms.

EU & UK References

Vulnerability details

mintplex-labs/anything-llm is vulnerable to path traversal attacks due to insufficient validation of user-supplied input in the logo filename functionality. Attackers can exploit this vulnerability by manipulating the logo filename to reference files outside of the restricted directory. This can lead…

more

to unauthorized reading or deletion of files by utilizing the `/api/system/upload-logo` and `/api/system/logo` endpoints. The issue stems from the lack of filtering or validation on the logo filename, allowing attackers to target sensitive files such as the application's database.

CWE(s)

AI Security AnalysisAI

AI Category
Other AI Platforms
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llm

Related Threats

Affected Assets

mintplexlabs
anythingllm
≤ 1.0.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References