Severity by source
AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then descends into child entries using fs.stat() and copies files with fs.copyFile() without validating each child or rejecting symlinks. Because both APIs follow symlinks, a symlink nested inside an allowed source directory can point outside the allowed filesystem root and cause outside file contents to be copied into an allowed destination as a regular file. This vulnerability is fixed in 1.13.0.
AnalysisAI
Symlink following in the AnythingLLM agent filesystem copy tool (versions prior to 1.13.0) allows a highly-privileged authenticated user to read files outside the configured filesystem sandbox by placing a symbolic link inside an agent-accessible source directory. The recursive copy helper validates only top-level paths, then descends into child entries using Node.js fs.stat() and fs.copyFile(), both of which transparently follow symlinks - silently redirecting reads to targets outside the allowed root and materializing their contents in an accessible destination. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; the CVSS score of 2.0 reflects that exploitation is constrained to high-privilege accounts with high complexity and required user interaction.
Technical ContextAI
AnythingLLM (CPE: cpe:2.3:a:mintplex-labs:anything-llm:*:*:*:*:*:*:*:*) is a Node.js application that exposes AI agents with optional filesystem capabilities. The vulnerable component is server/utils/agents/aibitat/plugins/filesystem/copy-file.js. The root cause maps to CWE-59 (Improper Link Resolution Before File Access - 'Link Following'): the recursive copy helper called fs.stat() on each child entry before copying it with fs.copyFile(). In Node.js, fs.stat() resolves symbolic links and returns metadata for the link target rather than the link itself, and fs.copyFile() copies the resolved target's contents - neither API surfaces the fact that a symlink was traversed. A symlink planted anywhere inside the allowed source tree can therefore redirect the copy operation to arbitrary files on the host filesystem, including secrets and credentials. The confirmed fix in commit 21ce03087145a4261c1de03b056fba639f699c09 replaces fs.stat() with fs.lstat(), which reports metadata for the link node itself rather than its target, and inserts an explicit guard that throws an error and aborts the copy if any entry is identified as a symbolic link.
RemediationAI
The primary fix is upgrading AnythingLLM to version 1.13.0, which resolves the vulnerability by replacing fs.stat() with fs.lstat() in the recursive copy helper and adding an explicit guard that rejects symbolic links encountered during agent copy operations. The patch is documented in GitHub Security Advisory GHSA-vjrp-43mm-j7vw (https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-vjrp-43mm-j7vw) and directly visible in commit 21ce03087145a4261c1de03b056fba639f699c09 (https://github.com/Mintplex-Labs/anything-llm/commit/21ce03087145a4261c1de03b056fba639f699c09). As a compensating control prior to patching, administrators should disable the agent filesystem copy capability entirely if it is not operationally required - this eliminates the attack surface with no impact on core LLM chat functionality. Where the feature must remain active, restrict agent filesystem tool access to the minimum set of accounts with a genuine operational need, audit agent-accessible source directories for any pre-existing symbolic links, and ensure the AnythingLLM process runs under an OS account with the narrowest possible filesystem permissions to reduce the set of sensitive files reachable via symlink traversal.
More in Anything Llm
View allSQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high severity (CVSS 8.8), this vulne
Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high sev
XSS in AnythingLLM 1.11.1 and earlier.
SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands a
AnythingLLM versions 1.11.1 and earlier contain an authentication bypass vulnerability on default installations where th
Stored DOM-level XSS in AnythingLLM's chart caption rendering allows authenticated users in shared workspaces to inject
Path traversal in AnythingLLM's document folder listing endpoint on Windows allows authenticated low-privilege users to
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti
AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import f
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti
Stale mobile device tokens in AnythingLLM survive single-user to multi-user mode migration with a null userId, allowing
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33067