CVE-2024-5213

CVE-2024-5213 is a medium-severity vulnerability in Mintplexlabs Anythingllm with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-201.

Key facts

Description

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.

Frequently asked questions

What is CVE-2024-5213?
In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.
How severe is CVE-2024-5213?
CVE-2024-5213 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2024-5213 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (37th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2024-5213?
CVE-2024-5213 affects Mintplexlabs Anythingllm. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-5213?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2024-5213 have an EU (EUVD) identifier?
Yes. CVE-2024-5213 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-46453.
When was CVE-2024-5213 published?
CVE-2024-5213 was published on 2024-06-20 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Mintplexlabs Anythingllm

All CVEs affecting Mintplexlabs Anythingllm →

Other CWE-201 vulnerabilities

Browse all CWE-201 vulnerabilities →