CVE-2024-8251
A vulnerability in mintplex-labs/anything-llm prior to version 1.2.2 allows for Prisma injection. The issue exists in the API endpoint "/embed/:embedId/stream-chat" where user-provided JSON is directly taken to the Prisma library's where clause. An attacker can exploit this by providing a specially crafted JSON object, such as {"sessionId":{"not":"a"}}, causing Prisma to return all data from the table. This can lead to unauthorized access to all user queries in embedded chat mode.
Vendor
Product
CWE
Yayın Tarihi
2025-03-20 10:15:41
Güncelleme
2025-10-15 13:15:54
Source Identifier
security@huntr.dev
KEV Date Added
-