CVE-2024-5216 - Vulnerability Details - OpenCVE

ReportizFlow

A vulnerability in mintplex-labs/anything-llm allows for a Denial of Service (DoS) condition due to uncontrolled resource consumption. Specifically, the issue arises from the application's failure to limit the size of usernames, enabling attackers to create users with excessively bulky texts in the username field. This exploit results in the user management panel becoming unresponsive, preventing administrators from performing critical user management actions such as editing, suspending, or deleting users. The impact of this vulnerability includes administrative paralysis, compromised security, and operational disruption, as it allows malicious users to perpetuate their presence within the system indefinitely, undermines the system's security posture, and degrades overall system performance.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mintplexlabs	Anythingllm

Configuration 1 [-]

cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/mintplex-labs/anything-llm/commit/3ef009de73c837f9025df8bba62572885c70c72f
https://huntr.com/bounties/8ec14991-ee35-493d-a8d3-21a1cfd57869

History

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00144}`	epss `{'score': 0.00156}`

Tue, 15 Jul 2025 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mintplexlabs Mintplexlabs anythingllm
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:mintplexlabs:anythingllm::::::::
Vendors & Products		Mintplexlabs Mintplexlabs anythingllm

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-25T10:29:55.339Z

Updated: 2024-08-01T21:03:11.036Z

Reserved: 2024-05-22T18:20:59.629Z

Link: CVE-2024-5216

Vulnrichment

Updated: 2024-08-01T21:03:11.036Z

NVD

Status : Analyzed

Published: 2024-06-25T11:15:50.193

Modified: 2025-07-15T15:38:18.290

Link: CVE-2024-5216

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5216", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-05-22T18:20:59.629Z", "datePublished": "2024-06-25T10:29:55.339Z", "dateUpdated": "2024-08-01T21:03:11.036Z"}, "containers": {"cna": {"title": "Denial of Service in mintplex-labs/anything-llm", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-06-25T10:29:55.339Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability in mintplex-labs/anything-llm allows for a Denial of Service (DoS) condition due to uncontrolled resource consumption. Specifically, the issue arises from the application's failure to limit the size of usernames, enabling attackers to create users with excessively bulky texts in the username field. This exploit results in the user management panel becoming unresponsive, preventing administrators from performing critical user management actions such as editing, suspending, or deleting users. The impact of this vulnerability includes administrative paralysis, compromised security, and operational disruption, as it allows malicious users to perpetuate their presence within the system indefinitely, undermines the system's security posture, and degrades overall system performance."}], "affected": [{"vendor": "mintplex-labs", "product": "mintplex-labs/anything-llm", "versions": [{"version": "unspecified", "lessThan": "1.0.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/8ec14991-ee35-493d-a8d3-21a1cfd57869"}, {"url": "https://github.com/mintplex-labs/anything-llm/commit/3ef009de73c837f9025df8bba62572885c70c72f"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption", "cweId": "CWE-400"}]}], "source": {"advisory": "8ec14991-ee35-493d-a8d3-21a1cfd57869", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "mintplexlabs", "product": "anythingllm", "cpes": ["cpe:2.3:a:mintplexlabs:anythingllm:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.0.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-26T13:56:52.708711Z", "id": "CVE-2024-5216", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-26T17:20:30.275Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:03:11.036Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/8ec14991-ee35-493d-a8d3-21a1cfd57869", "tags": ["x_transferred"]}, {"url": "https://github.com/mintplex-labs/anything-llm/commit/3ef009de73c837f9025df8bba62572885c70c72f", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/8ec14991-ee35-493d-a8d3-21a1cfd57869", "tags": ["x_transferred"]}, {"url": "https://github.com/mintplex-labs/anything-llm/commit/3ef009de73c837f9025df8bba62572885c70c72f", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:03:11.036Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5216", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-26T13:56:52.708711Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mintplexlabs:anythingllm:-:*:*:*:*:*:*:*"], "vendor": "mintplexlabs", "product": "anythingllm", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-26T17:20:25.372Z"}}], "cna": {"title": "Denial of Service in mintplex-labs/anything-llm", "source": {"advisory": "8ec14991-ee35-493d-a8d3-21a1cfd57869", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "mintplex-labs", "product": "mintplex-labs/anything-llm", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "1.0.0", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/8ec14991-ee35-493d-a8d3-21a1cfd57869"}, {"url": "https://github.com/mintplex-labs/anything-llm/commit/3ef009de73c837f9025df8bba62572885c70c72f"}], "descriptions": [{"lang": "en", "value": "A vulnerability in mintplex-labs/anything-llm allows for a Denial of Service (DoS) condition due to uncontrolled resource consumption. Specifically, the issue arises from the application's failure to limit the size of usernames, enabling attackers to create users with excessively bulky texts in the username field. This exploit results in the user management panel becoming unresponsive, preventing administrators from performing critical user management actions such as editing, suspending, or deleting users. The impact of this vulnerability includes administrative paralysis, compromised security, and operational disruption, as it allows malicious users to perpetuate their presence within the system indefinitely, undermines the system's security posture, and degrades overall system performance."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-06-25T10:29:55.339Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5216", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:03:11.036Z", "dateReserved": "2024-05-22T18:20:59.629Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-06-25T10:29:55.339Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D667E32-5A5C-479C-BB81-47F3BCA38C13", "versionEndExcluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in mintplex-labs/anything-llm allows for a Denial of Service (DoS) condition due to uncontrolled resource consumption. Specifically, the issue arises from the application's failure to limit the size of usernames, enabling attackers to create users with excessively bulky texts in the username field. This exploit results in the user management panel becoming unresponsive, preventing administrators from performing critical user management actions such as editing, suspending, or deleting users. The impact of this vulnerability includes administrative paralysis, compromised security, and operational disruption, as it allows malicious users to perpetuate their presence within the system indefinitely, undermines the system's security posture, and degrades overall system performance."}, {"lang": "es", "value": "Una vulnerabilidad en mintplex-labs/anything-llm permite una condici\u00f3n de Denegaci\u00f3n de Servicio (DoS) debido al consumo incontrolado de recursos. Espec\u00edficamente, el problema surge porque la aplicaci\u00f3n no limita el tama\u00f1o de los nombres de usuario, lo que permite a los atacantes crear usuarios con textos excesivamente voluminosos en el campo de nombre de usuario. Este exploit hace que el panel de administraci\u00f3n de usuarios deje de responder, lo que impide que los administradores realicen acciones cr\u00edticas de administraci\u00f3n de usuarios, como editar, suspender o eliminar usuarios. El impacto de esta vulnerabilidad incluye par\u00e1lisis administrativa, seguridad comprometida e interrupci\u00f3n operativa, ya que permite a los usuarios malintencionados perpetuar su presencia dentro del sistema indefinidamente, socava la postura de seguridad del sistema y degrada el rendimiento general del sistema."}], "id": "CVE-2024-5216", "lastModified": "2025-07-15T15:38:18.290", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-06-25T11:15:50.193", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/mintplex-labs/anything-llm/commit/3ef009de73c837f9025df8bba62572885c70c72f"}, {"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/8ec14991-ee35-493d-a8d3-21a1cfd57869"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/mintplex-labs/anything-llm/commit/3ef009de73c837f9025df8bba62572885c70c72f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/8ec14991-ee35-493d-a8d3-21a1cfd57869"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "[email protected]", "type": "Primary"}]}