mintplex-labs/anything-llm
Moderate fix1 remedy
cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*
Moderate fix1 remedy
- < 1.2.2
Mintplex Anything-LLM Prisma Injection Vulnerability
Vulnerability
Patched
A Prisma injection vulnerability has been identified in Mintplex Labs Anything-LLM versions prior to 1.2.2. The issue arises in the API endpoint '/embed/:embedId/stream-chat', where user-supplied JSON is directly incorporated into Prisma's 'where' clause. This vulnerability allows an attacker to send a specially crafted JSON object, such as one that manipulates session ID values, to retrieve all data from the associated table. Consequently, this could result in unauthorized access to user queries in embedded chat mode.
Impact
Exploitation of this vulnerability could lead to unauthorized access to all user queries in embedded chat mode.
Reproduction
To reproduce this vulnerability, send a request to the '/embed/:embedId/stream-chat' endpoint with a crafted JSON object that includes a manipulated 'sessionId' value. This will cause Prisma to return all data from the table, exploiting the injection vulnerability.
Remediation
Users are advised to update to Mintplex Labs Anything-LLM version 1.2.2 or later, where this vulnerability has been addressed.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
0.0impact
2.5exploitability
6.0remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.