CVE-2024-8251

Summary

CVE-2024-8251 is a vulnerability affecting the anything-llm library by mintplex-labs before version 1.2.2. The issue lies in the API endpoint "/embed/:embedId/stream-chat," where user-supplied JSON data is directly passed to the Prisma library's where clause. This allows an attacker to inject malicious Prisma queries using a specially crafted JSON object, such as {"sessionId":{"not":"a"}}, which can result in unauthorized access to all user queries in embedded chat mode. Attackers can exploit this vulnerability to gain unauthorized access to sensitive information. This issue highlights the importance of input validation and sanitization to protect against injection attacks.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.