Skip to content
ATR-2026-01973criticalTool Poisoningdraft

AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)

Detects CVE-2024-3025 (CWE-23, CVSS CRITICAL): mintplex-labs/anything-llm before 1.0.0 fails to validate the user-supplied logo filename on the /api/system/upload-logo and /api/system/logo endpoints. An authenticated attacker passes path-traversal sequences (../../../) in the logo filename to read or delete arbitrary files outside the assets directory, with the SQLite database storage/anythingllm.db as a high-value target. The fix added a normalizePath() guard. This rule keys on the specific logo endpoint paths combined with ../ traversal (raw or %2e%2e%2f-encoded) into storage/anythingllm.db.

Severity
critical
Category
Tool Poisoning
Scan Target
both
Author
ATR Community

Response Actions

alertblock input

References

OWASP Agentic
ASI06:2026 - Tool Misuse
OWASP LLM
LLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0049 - Exploit Public-Facing Application

Detection Conditions

Combinator: any
  1. 01
    AnythingLLM logo endpoint hit with multi-level ../ traversal (raw or URL-encoded) reaching storage/anythingllm.db
    field: contentop: regex
  2. 02
    Logo filename/logo query param carrying multi-level path-traversal sequences on the logo endpoint
    field: contentop: regex
  3. 03
    explicit CVE framing
    field: contentop: regex

Attack Examples (Rule Triggers)

  1. GET /api/system/logo?filename=../../../storage/anythingllm.db HTTP/1.1
  2. POST /api/system/upload-logo with logo=../../../../storage/anythingllm.db to delete the database
  3. Exploiting CVE-2024-3025: /api/system/logo path traversal to read anythingllm.db

Real-world attack payloads, sanitized and versioned alongside the rule as regression tests — so a future revision can't silently stop catching them.

Benign Examples (Rule Doesn't Trigger)

  1. Normal logo fetch with theme param, no traversal sequence
    GET /api/system/logo?theme=default HTTP/1.1 returns the configured workspace logo
  2. Legitimate logo upload with a clean filename
    POST /api/system/upload-logo uploading company-logo.png as the new appearance logo
  3. Generic mention of the endpoint with no exploit token or traversal
    The /api/system/logo endpoint serves the branding image configured in Appearance settings.

Known False Positive Contexts

  • Legitimate logo upload/fetch hitting /api/system/upload-logo or /api/system/logo with a normal filename like my-logo.png and no ../ sequence.
  • Documentation or changelog mentioning the logo endpoints without a traversal payload.

Full YAML Definition

Edit on GitHub →
title: "AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)"
id: ATR-2026-01973
rule_version: 1
status: draft
description: >
  Detects CVE-2024-3025 (CWE-23, CVSS CRITICAL): mintplex-labs/anything-llm
  before 1.0.0 fails to validate the user-supplied logo filename on the
  /api/system/upload-logo and /api/system/logo endpoints. An authenticated
  attacker passes path-traversal sequences (../../../) in the logo filename to
  read or delete arbitrary files outside the assets directory, with the SQLite
  database storage/anythingllm.db as a high-value target. The fix added a
  normalizePath() guard. This rule keys on the specific logo endpoint paths
  combined with ../ traversal (raw or %2e%2e%2f-encoded) into storage/anythingllm.db.
author: "ATR Community"
date: "2026/06/29"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical
references:
  owasp_llm: ["LLM06:2025 - Excessive Agency"]
  owasp_agentic: ["ASI06:2026 - Tool Misuse"]
  mitre_atlas: ["AML.T0049 - Exploit Public-Facing Application"]
  mitre_attack: ["T1190 - Exploit Public-Facing Application"]
  cve: ["CVE-2024-3025"]
metadata_provenance: { mitre_atlas: human-reviewed, owasp_llm: human-reviewed, owasp_agentic: human-reviewed }
compliance:
  eu_ai_act:
    - article: "15"
      context: "Article 15 (accuracy, robustness, cybersecurity) — runtime detection of this technique is a cybersecurity control for high-risk AI systems. Technique: AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)."
      strength: primary
    - article: "9"
      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control. Technique: AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)."
      strength: secondary
  nist_ai_rmf:
    - subcategory: "MP.5.1"
      context: "NIST AI RMF MAP 5.1 — likelihood and impact of the identified attack are characterised; this rule detects the adversarial input at runtime. Technique: AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)."
      strength: primary
    - subcategory: "MG.3.2"
      context: "NIST AI RMF MANAGE 3.2 — runtime monitoring/maintenance control that surfaces this attack class. Technique: AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)."
      strength: secondary
  iso_42001:
    - clause: "8.1"
      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control) — detection of this payload is an operational control. Technique: AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)."
      strength: primary
    - clause: "8.3"
      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) — this rule implements runtime detection as a treatment control. Technique: AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)."
      strength: secondary
tags: { category: tool-poisoning, subcategory: path-traversal, scan_target: both, confidence: high, source: cve-disclosure, vendor_sources: anythingllm-cve-2024-3025 }
agent_source: { type: llm_io, framework: [any], provider: [any] }
detection:
  condition: any
  false_positives:
    - "Legitimate logo upload/fetch hitting /api/system/upload-logo or /api/system/logo with a normal filename like my-logo.png and no ../ sequence."
    - "Documentation or changelog mentioning the logo endpoints without a traversal payload."
  conditions:
    - field: content
      operator: regex
      value: '(?i)/api/system/(?:upload-)?logo[\s\S]{0,200}(?:\.\./|\.\.%2f|%2e%2e%2f|%2e%2e/){2,}[\s\S]{0,120}(?:storage[/\\])?anythingllm\.db'
      description: "AnythingLLM logo endpoint hit with multi-level ../ traversal (raw or URL-encoded) reaching storage/anythingllm.db"
    - field: content
      operator: regex
      value: '(?i)/api/system/(?:upload-)?logo[\s\S]{0,200}(?:filename|logo)=[\s\S]{0,40}(?:\.\./|%2e%2e%2f|\.\.%2f){2,}'
      description: "Logo filename/logo query param carrying multi-level path-traversal sequences on the logo endpoint"
    - field: content
      operator: regex
      value: '(?i)CVE-2024-3025[\s\S]{0,200}(?:path\s*traversal|logo|anythingllm\.db|/api/system/(?:upload-)?logo)'
      description: "explicit CVE framing"
response:
  actions: [alert, block_input]
  message_template: >
    [ATR-2026-01973] CRITICAL: AnythingLLM logo endpoint path traversal (CVE-2024-3025) reads/deletes arbitrary files such as storage/anythingllm.db. Block and patch.
confidence: 80
wild_fp_rate: 0
test_cases:
  true_positives:
    - input: "GET /api/system/logo?filename=../../../storage/anythingllm.db HTTP/1.1"
      expected: triggered
      description: "Logo fetch endpoint with ../ traversal to the SQLite database file"
    - input: "POST /api/system/upload-logo with logo=../../../../storage/anythingllm.db to delete the database"
      expected: triggered
      description: "Upload-logo endpoint abused with traversal into storage/anythingllm.db"
    - input: "Exploiting CVE-2024-3025: /api/system/logo path traversal to read anythingllm.db"
      expected: triggered
      description: "Explicit CVE-2024-3025 framing with the logo endpoint and traversal target"
  true_negatives:
    - input: "GET /api/system/logo?theme=default HTTP/1.1 returns the configured workspace logo"
      expected: not_triggered
      description: "Normal logo fetch with theme param, no traversal sequence"
    - input: "POST /api/system/upload-logo uploading company-logo.png as the new appearance logo"
      expected: not_triggered
      description: "Legitimate logo upload with a clean filename"
    - input: "The /api/system/logo endpoint serves the branding image configured in Appearance settings."
      expected: not_triggered
      description: "Generic mention of the endpoint with no exploit token or traversal"

Revision History

Created
2026-06-29
Last modified
2026-07-02
View full commit history on GitHub →