Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionCVE.org
A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the AgentFlows component. The vulnerability arises from improper handling of user input in the loadFlow and deleteFlow methods in server/utils/agentFlows/index.js. Specifically, the combination of path.join and normalizePath allows attackers to bypass directory restrictions and access or delete arbitrary .json files on the server. This can lead to information disclosure, such as leaking sensitive configuration files containing API keys, or denial of service by deleting critical files like package.json. The issue is resolved in version 1.12.1.
AnalysisAI
Path traversal in mintplex-labs/anything-llm (versions ≤1.9.1) allows authenticated administrators to read or delete arbitrary JSON files on the server, bypassing directory restrictions in the AgentFlows component. Exploitation requires high privileges (administrator access) but achieves cross-scope impact including leaking sensitive API keys from configuration files or destroying critical package.json files. Fixed in version 1.12.1. No public exploit identified at time of analysis, though technical details are disclosed via Huntr bounty platform.
Technical ContextAI
The vulnerability resides in the AgentFlows component (server/utils/agentFlows/index.js), where the loadFlow and deleteFlow methods process user-controlled input. The flaw stems from CWE-29 (Path Traversal with '..\..filename'), where improper sanitization allows attackers to exploit the interaction between Node.js path.join() and a custom normalizePath() function. Path.join() performs platform-specific path resolution, but when combined with inadequate input validation, attackers can inject directory traversal sequences (../) to escape the intended storage directory. The normalizePath() function fails to adequately neutralize these sequences before file system operations occur. This affects the anything-llm product from mintplex-labs (CPE: cpe:2.3:a:mintplex-labs:mintplex-labs/anything-llm), specifically the AgentFlows feature which manages workflow configuration as JSON files. The vulnerability class (CWE-29) represents a classic path canonicalization failure where relative path components are not properly resolved before access control checks.
RemediationAI
Upgrade immediately to mintplex-labs/anything-llm version 1.12.1 or later, which contains the fix committed in GitHub commit 3444b9b0aa6764d72d53670ab4b1aaccdc6b7017 (https://github.com/mintplex-labs/anything-llm/commit/3444b9b0aa6764d72d53670ab4b1aaccdc6b7017). The patch implements proper input validation and sanitization in the loadFlow and deleteFlow methods to prevent directory traversal attacks. Organizations unable to immediately upgrade should implement compensating controls: restrict administrator access to the AgentFlows component through role-based access controls, implement file integrity monitoring to detect unauthorized access or deletion of JSON configuration files, and audit administrator accounts for compromise indicators. Review server logs for suspicious path traversal patterns in AgentFlows API calls (requests containing ../ or ..\ sequences). Rotate all API keys and secrets stored in configuration files if unauthorized access is suspected. For airgapped or highly controlled deployments where administrator trust is absolute, risk may be accepted temporarily, but upgrade remains the definitive remediation. Detailed vulnerability information and the security bounty report are available at https://huntr.com/bounties/597d41c5-7ea0-4786-80f4-bd536ec66374.
Same weakness CWE-29 – Path Traversal: '\\..\\filename'
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19637
GHSA-3593-xf56-f85v