CVE-2024-5213

6.5 MEDIUM
Published: June 20, 2024 Modified: October 15, 2025
View on NVD

Description

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/mintplex-labs/anything-llm/commit/9df4521113ddb9a3adb5d0e3941e7d494992629c
Source: security@huntr.dev
Patch
https://huntr.com/bounties/8794fb65-50aa-40e3-b348-a29838dbf63d
Source: security@huntr.dev
Exploit Third Party Advisory
https://github.com/mintplex-labs/anything-llm/commit/9df4521113ddb9a3adb5d0e3941e7d494992629c
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
https://huntr.com/bounties/8794fb65-50aa-40e3-b348-a29838dbf63d
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Third Party Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.5 / 10.0
EPSS (Exploit Probability)
0.2%
48th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-201

Affected Vendors

mintplexlabs

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3