CVE-2024-0455 CRITICAL

CVE-2024-0455: SSRF on AWS deployed instances of AnythingLLM via /metadata

Vendor Mintplex-Labs
Product mintplex-labs/anything-llm
Weakness CWE-918 · SSRF
Published February 25, 2024
Last update August 12, 2024
View on NVD All CVEs

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL ``` http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance ``` which is a special IP and URL that resolves only when the request comes from within an EC2 instance. This would allow the user to see the connection/secret credentials for their specific instance and be able to manage it regardless of who deployed it. The user would have to have pre-existing knowledge of the hosting infra which the target instance is deployed on, but if sent - would resolve if on EC2 and the proper `iptable` or firewall rule is not configured for their setup.

Key dates

02Disclosure timeline

February 25, 2024 CVE published
August 12, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-3966 648540858 wvp-GB28181-pro IP Address ABLMediaNodeServerService.java getDownloadFilePath server-side request forgery CVE-2025-1220 Null byte termination in hostnames CVE-2026-34936 PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback CVE-2025-49983 WordPress WPThumb plugin <= 0.10 - Server Side Request Forgery (SSRF) Vulnerability CVE-2025-2940 Ninja Tables – Easy Data Table Builder <= 5.0.18 - Unauthenticated Server-Side Request Forgery