CVE-2024-5213
Published: 20 June 2024
Summary
CVE-2024-5213 is a medium-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Mintplexlabs Anythingllm. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked in the top 44.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-46453
Vulnerability details
In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire…
more
User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- mintplex-labs/anything-llm is an open-source AI platform for running LLMs with features like RAG and chat interfaces, classified as an Enterprise AI Assistant. The vulnerability involves exposure of user password hashes in API responses, but the software is AI-related as confirmed by AI/ML bug bounty advisories.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes bcrypt password hashes of users in API responses after login and account creation, enabling adversaries to steal unsecured credentials.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Embedding taints allows detection when sensitive data is inserted into outbound or sent data streams.