cbcvebase.
CVE-2024-6842
published 2025-03-20

CVE-2024-6842: In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data…

PriorityP268high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
29.19%
97.9th percentile
In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes sensitive information such as API keys for search engines, which can be exploited by attackers to steal these keys and cause loss of user assets.

Affected

2 ranges
VendorProductVersion rangeFixed in
mintplex-labsmintplex-labs_anything-llm>= unspecified < 1.0.21.0.2
mintplexlabsanythingllm

Detection & IOCsextracted from sources · hover to see the quote

url/api/setup-complete
otherResponse body keyword: "AgentGoogleSearchEngineId":
otherResponse body keyword: "AgentGoogleSearchEngineKey":
otherResponse body keyword: "AgentSerperApiKey":
otherResponse body keyword: "AgentBingSearchApiKey":
  • Detect unauthenticated HTTP GET requests to /api/setup-complete; a 200 response with JSON body containing 'AuthToken":true' and 'ApiKey":true' confirms exploitation of the information disclosure vulnerability.
  • Shodan query 'title:"AnythingLLM"' can be used to identify exposed AnythingLLM instances potentially vulnerable to this unauthenticated endpoint.
  • The vulnerability affects mintplex-labs/anything-llm version 1.5.5; the /setup-complete endpoint exposes the output of the currentSettings function to unauthenticated users.
  • ·The Nuclei template matcher contains a likely typo: '- -"AgentGoogleSearchEngineKey":' has a leading dash before the quote, which may cause the word matcher to fail on that specific keyword. Validate the matcher before deploying.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.