Cyber Resilience

CVE-2024-5213

MediumPublic PoC

Published: 20 June 2024

Published
20 June 2024
Modified
15 October 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0032 55.6th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-5213 is a medium-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Mintplexlabs Anythingllm. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked in the top 44.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.

EU & UK References

Vulnerability details

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire…

more

User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
mintplex-labs/anything-llm is an open-source AI platform for running LLMs with features like RAG and chat interfaces, classified as an Enterprise AI Assistant. The vulnerability involves exposure of user password hashes in API responses, but the software is AI-related as confirmed by AI/ML bug bounty advisories.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

The vulnerability exposes bcrypt password hashes of users in API responses after login and account creation, enabling adversaries to steal unsecured credentials.

Affected Assets

mintplexlabs
anythingllm
≤ 1.5.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-201

Embedding taints allows detection when sensitive data is inserted into outbound or sent data streams.

References