Mintplex Anything-LLM Dockerized Version Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Dockerized version of Mintplex Labs Anything-LLM, specifically in the latest release with digest 1d9452da2b92. The issue arises when an audio file with an extremely low sample rate is uploaded, causing the transcription functionality to crash the entire site instance. This problem is linked to the localWhisper implementation, where resampling the audio from 1 Hz to 16 kHz rapidly consumes available memory, resulting in the Docker instance being terminated by the instance manager.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the Docker instance to be killed by the instance manager.

Reproduction

To reproduce this vulnerability, upload an audio file with a sample rate of 1 Hz to the Dockerized Mintplex Anything-LLM application. The application will attempt to resample the audio for transcription, which will quickly exceed available memory and crash the site instance.

Remediation

Users can update to the patched version of Mintplex Anything-LLM, which includes audio file validation to prevent low sample rate files from being uploaded. Instructions for updating can be found in the Mintplex Labs GitHub repository.