Skip to content
ATR-2026-01978criticalTool Poisoningdraft

AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)

CVE-2023-5832: mintplex-labs/anything-llm < 0.1.0 collector API exposes POST /process which passes the request JSON 'filename' field straight into process_single(WATCH_DIRECTORY, filename) without normalization. A filename containing ../ directory-traversal sequences escapes the hotdir / WATCH_DIRECTORY and lets a low-privilege user delete arbitrary files (e.g. ../../server/storage/anythingllm.db). This rule keys on the /process + filename + ../ traversal triad and on traversal payloads targeting anythingllm storage from the collector context.

Severity
critical
Category
Tool Poisoning
Scan Target
both
Author
ATR Community

Response Actions

alertblock input

References

OWASP Agentic
ASI06:2026 - Tool Misuse
OWASP LLM
LLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0049 - Exploit Public-Facing Application

Detection Conditions

Combinator: any
  1. 01
    POST /process request whose filename field value begins with one or more ../ traversal segments, the exact CVE-2023-5832 sink shape.
    field: contentop: regex
  2. 02
    filename field carrying a ../ traversal payload that targets the anythingllm.db storage file (DB-deletion exploit primitive).
    field: contentop: regex
  3. 03
    explicit CVE framing
    field: contentop: regex

Attack Examples (Rule Triggers)

  1. POST /process {"filename": "../../server/storage/anythingllm.db"}
  2. curl -X POST http://target:8888/process -d '{"filename":"../../../etc/passwd"}'
  3. {"filename": "../../storage/anythingllm.db"}

Real-world attack payloads, sanitized and versioned alongside the rule as regression tests — so a future revision can't silently stop catching them.

Benign Examples (Rule Doesn't Trigger)

  1. Legitimate /process call with a normal in-hotdir document name and no ../ traversal.
    POST /process {"filename": "quarterly-report.pdf"}
  2. Documentation describing the /process endpoint and filename field with no traversal payload.
    The AnythingLLM collector exposes a /process endpoint that takes a filename field to ingest uploaded documents.
  3. Generic mention of anythingllm.db and hotdir with no ../ traversal sequence reaching them.
    Backup of anythingllm.db and the hotdir WATCH_DIRECTORY completed successfully.

Known False Positive Contexts

  • A legitimate POST /process call whose JSON filename is a plain document name inside the hotdir (e.g. {"filename":"report.pdf"}) with no ../ traversal sequence is benign and must not fire.
  • Documentation or code that mentions the AnythingLLM collector /process endpoint or the filename field without any ../ directory-traversal payload.
  • Generic mentions of anythingllm.db, hotdir, or WATCH_DIRECTORY in setup docs/backups without a traversal sequence reaching them.

Full YAML Definition

Edit on GitHub →
title: "AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)"
id: ATR-2026-01978
rule_version: 1
status: draft
description: >
  CVE-2023-5832: mintplex-labs/anything-llm < 0.1.0 collector API exposes
  POST /process which passes the request JSON 'filename' field straight into
  process_single(WATCH_DIRECTORY, filename) without normalization. A filename
  containing ../ directory-traversal sequences escapes the hotdir / WATCH_DIRECTORY
  and lets a low-privilege user delete arbitrary files (e.g. ../../server/storage/anythingllm.db).
  This rule keys on the /process + filename + ../ traversal triad and on traversal
  payloads targeting anythingllm storage from the collector context.
author: "ATR Community"
date: "2026/06/29"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical
references:
  owasp_llm: ["LLM06:2025 - Excessive Agency"]
  owasp_agentic: ["ASI06:2026 - Tool Misuse"]
  mitre_atlas: ["AML.T0049 - Exploit Public-Facing Application"]
  mitre_attack: ["T1190 - Exploit Public-Facing Application"]
  cve: ["CVE-2023-5832"]
metadata_provenance: { mitre_atlas: human-reviewed, owasp_llm: human-reviewed, owasp_agentic: human-reviewed }
compliance:
  eu_ai_act:
    - article: "15"
      context: "Article 15 (accuracy, robustness, cybersecurity) — runtime detection of this technique is a cybersecurity control for high-risk AI systems. Technique: AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)."
      strength: primary
    - article: "9"
      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control. Technique: AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)."
      strength: secondary
  nist_ai_rmf:
    - subcategory: "MP.5.1"
      context: "NIST AI RMF MAP 5.1 — likelihood and impact of the identified attack are characterised; this rule detects the adversarial input at runtime. Technique: AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)."
      strength: primary
    - subcategory: "MG.3.2"
      context: "NIST AI RMF MANAGE 3.2 — runtime monitoring/maintenance control that surfaces this attack class. Technique: AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)."
      strength: secondary
  iso_42001:
    - clause: "8.1"
      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control) — detection of this payload is an operational control. Technique: AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)."
      strength: primary
    - clause: "8.3"
      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) — this rule implements runtime detection as a treatment control. Technique: AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)."
      strength: secondary
tags: { category: tool-poisoning, subcategory: path-traversal, scan_target: both, confidence: high, source: cve-disclosure, vendor_sources: anythingllm-cve-2023-5832 }
agent_source: { type: llm_io, framework: [any], provider: [any] }
detection:
  condition: any
  false_positives:
    - "A legitimate POST /process call whose JSON filename is a plain document name inside the hotdir (e.g. {\"filename\":\"report.pdf\"}) with no ../ traversal sequence is benign and must not fire."
    - "Documentation or code that mentions the AnythingLLM collector /process endpoint or the filename field without any ../ directory-traversal payload."
    - "Generic mentions of anythingllm.db, hotdir, or WATCH_DIRECTORY in setup docs/backups without a traversal sequence reaching them."
  conditions:
    - field: content
      operator: regex
      value: '(?i)/process\b[\s\S]{0,200}["'']?filename["'']?\s*[:=]\s*["'']?(?:\.\.[\\/]){1,}'
      description: "POST /process request whose filename field value begins with one or more ../ traversal segments, the exact CVE-2023-5832 sink shape."
    - field: content
      operator: regex
      value: '(?i)["'']?filename["'']?\s*[:=]\s*["'']?(?:\.\.[\\/]){1,}[^"''\s]{0,120}(?:storage[\\/])?anythingllm\.db'
      description: "filename field carrying a ../ traversal payload that targets the anythingllm.db storage file (DB-deletion exploit primitive)."
    - field: content
      operator: regex
      value: '(?i)CVE-2023-5832[\s\S]{0,200}(?:path traversal|directory traversal|arbitrary file deletion|hotdir|/process)'
      description: "explicit CVE framing"
response:
  actions: [alert, block_input]
  message_template: >
    [ATR-2026-01978] CRITICAL: AnythingLLM collector POST /process accepts a filename with ../ traversal, enabling arbitrary file deletion outside the hotdir (e.g. anythingllm.db) on versions < 0.1.0 (CVE-2023-5832). Block and patch.
confidence: 80
wild_fp_rate: 0
test_cases:
  true_positives:
    - input: 'POST /process {"filename": "../../server/storage/anythingllm.db"}'
      expected: triggered
      description: "Collector /process call with filename traversing out of the hotdir to delete the AnythingLLM database, the canonical CVE-2023-5832 exploit."
    - input: 'curl -X POST http://target:8888/process -d ''{"filename":"../../../etc/passwd"}'''
      expected: triggered
      description: "filename field with stacked ../ segments against /process escapes WATCH_DIRECTORY."
    - input: '{"filename": "../../storage/anythingllm.db"}'
      expected: triggered
      description: "filename traversal payload explicitly targeting the anythingllm.db storage file."
  true_negatives:
    - input: 'POST /process {"filename": "quarterly-report.pdf"}'
      expected: not_triggered
      description: "Legitimate /process call with a normal in-hotdir document name and no ../ traversal."
    - input: 'The AnythingLLM collector exposes a /process endpoint that takes a filename field to ingest uploaded documents.'
      expected: not_triggered
      description: "Documentation describing the /process endpoint and filename field with no traversal payload."
    - input: 'Backup of anythingllm.db and the hotdir WATCH_DIRECTORY completed successfully.'
      expected: not_triggered
      description: "Generic mention of anythingllm.db and hotdir with no ../ traversal sequence reaching them."

Revision History

Created
2026-06-29
Last modified
2026-07-02
View full commit history on GitHub →