ATR-2026-01973critical工具下毒draft
AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)
Detects CVE-2024-3025 (CWE-23, CVSS CRITICAL): mintplex-labs/anything-llm before 1.0.0 fails to validate the user-supplied logo filename on the /api/system/upload-logo and /api/system/logo endpoints. An authenticated attacker passes path-traversal sequences (../../../) in the logo filename to read or delete arbitrary files outside the assets directory, with the SQLite database storage/anythingllm.db as a high-value target. The fix added a normalizePath() guard. This rule keys on the specific logo endpoint paths combined with ../ traversal (raw or %2e%2e%2f-encoded) into storage/anythingllm.db.
嚴重度
critical
類別
工具下毒
掃描目標
both
作者
ATR Community
建議回應
alertblock input
參考資料
OWASP Agentic
ASI06:2026 - Tool Misuse
OWASP LLM
LLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0049 - Exploit Public-Facing Application
偵測條件
組合方式: any- 01AnythingLLM logo endpoint hit with multi-level ../ traversal (raw or URL-encoded) reaching storage/anythingllm.db欄位: content運算子: regex
- 02Logo filename/logo query param carrying multi-level path-traversal sequences on the logo endpoint欄位: content運算子: regex
- 03explicit CVE framing欄位: content運算子: regex
攻擊範例(規則會觸發)
GET /api/system/logo?filename=../../../storage/anythingllm.db HTTP/1.1
POST /api/system/upload-logo with logo=../../../../storage/anythingllm.db to delete the database
Exploiting CVE-2024-3025: /api/system/logo path traversal to read anythingllm.db
以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。
正常樣本(規則不會觸發)
- Normal logo fetch with theme param, no traversal sequence
GET /api/system/logo?theme=default HTTP/1.1 returns the configured workspace logo
- Legitimate logo upload with a clean filename
POST /api/system/upload-logo uploading company-logo.png as the new appearance logo
- Generic mention of the endpoint with no exploit token or traversal
The /api/system/logo endpoint serves the branding image configured in Appearance settings.
已知誤報情境
- ▸Legitimate logo upload/fetch hitting /api/system/upload-logo or /api/system/logo with a normal filename like my-logo.png and no ../ sequence.
- ▸Documentation or changelog mentioning the logo endpoints without a traversal payload.
完整 YAML 定義
在 GitHub 編輯 →title: "AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)"
id: ATR-2026-01973
rule_version: 1
status: draft
description: >
Detects CVE-2024-3025 (CWE-23, CVSS CRITICAL): mintplex-labs/anything-llm
before 1.0.0 fails to validate the user-supplied logo filename on the
/api/system/upload-logo and /api/system/logo endpoints. An authenticated
attacker passes path-traversal sequences (../../../) in the logo filename to
read or delete arbitrary files outside the assets directory, with the SQLite
database storage/anythingllm.db as a high-value target. The fix added a
normalizePath() guard. This rule keys on the specific logo endpoint paths
combined with ../ traversal (raw or %2e%2e%2f-encoded) into storage/anythingllm.db.
author: "ATR Community"
date: "2026/06/29"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical
references:
owasp_llm: ["LLM06:2025 - Excessive Agency"]
owasp_agentic: ["ASI06:2026 - Tool Misuse"]
mitre_atlas: ["AML.T0049 - Exploit Public-Facing Application"]
mitre_attack: ["T1190 - Exploit Public-Facing Application"]
cve: ["CVE-2024-3025"]
metadata_provenance: { mitre_atlas: human-reviewed, owasp_llm: human-reviewed, owasp_agentic: human-reviewed }
compliance:
eu_ai_act:
- article: "15"
context: "Article 15 (accuracy, robustness, cybersecurity) — runtime detection of this technique is a cybersecurity control for high-risk AI systems. Technique: AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)."
strength: primary
- article: "9"
context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control. Technique: AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)."
strength: secondary
nist_ai_rmf:
- subcategory: "MP.5.1"
context: "NIST AI RMF MAP 5.1 — likelihood and impact of the identified attack are characterised; this rule detects the adversarial input at runtime. Technique: AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)."
strength: primary
- subcategory: "MG.3.2"
context: "NIST AI RMF MANAGE 3.2 — runtime monitoring/maintenance control that surfaces this attack class. Technique: AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)."
strength: secondary
iso_42001:
- clause: "8.1"
context: "ISO/IEC 42001 Clause 8.1 (operational planning and control) — detection of this payload is an operational control. Technique: AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)."
strength: primary
- clause: "8.3"
context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) — this rule implements runtime detection as a treatment control. Technique: AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)."
strength: secondary
tags: { category: tool-poisoning, subcategory: path-traversal, scan_target: both, confidence: high, source: cve-disclosure, vendor_sources: anythingllm-cve-2024-3025 }
agent_source: { type: llm_io, framework: [any], provider: [any] }
detection:
condition: any
false_positives:
- "Legitimate logo upload/fetch hitting /api/system/upload-logo or /api/system/logo with a normal filename like my-logo.png and no ../ sequence."
- "Documentation or changelog mentioning the logo endpoints without a traversal payload."
conditions:
- field: content
operator: regex
value: '(?i)/api/system/(?:upload-)?logo[\s\S]{0,200}(?:\.\./|\.\.%2f|%2e%2e%2f|%2e%2e/){2,}[\s\S]{0,120}(?:storage[/\\])?anythingllm\.db'
description: "AnythingLLM logo endpoint hit with multi-level ../ traversal (raw or URL-encoded) reaching storage/anythingllm.db"
- field: content
operator: regex
value: '(?i)/api/system/(?:upload-)?logo[\s\S]{0,200}(?:filename|logo)=[\s\S]{0,40}(?:\.\./|%2e%2e%2f|\.\.%2f){2,}'
description: "Logo filename/logo query param carrying multi-level path-traversal sequences on the logo endpoint"
- field: content
operator: regex
value: '(?i)CVE-2024-3025[\s\S]{0,200}(?:path\s*traversal|logo|anythingllm\.db|/api/system/(?:upload-)?logo)'
description: "explicit CVE framing"
response:
actions: [alert, block_input]
message_template: >
[ATR-2026-01973] CRITICAL: AnythingLLM logo endpoint path traversal (CVE-2024-3025) reads/deletes arbitrary files such as storage/anythingllm.db. Block and patch.
confidence: 80
wild_fp_rate: 0
test_cases:
true_positives:
- input: "GET /api/system/logo?filename=../../../storage/anythingllm.db HTTP/1.1"
expected: triggered
description: "Logo fetch endpoint with ../ traversal to the SQLite database file"
- input: "POST /api/system/upload-logo with logo=../../../../storage/anythingllm.db to delete the database"
expected: triggered
description: "Upload-logo endpoint abused with traversal into storage/anythingllm.db"
- input: "Exploiting CVE-2024-3025: /api/system/logo path traversal to read anythingllm.db"
expected: triggered
description: "Explicit CVE-2024-3025 framing with the logo endpoint and traversal target"
true_negatives:
- input: "GET /api/system/logo?theme=default HTTP/1.1 returns the configured workspace logo"
expected: not_triggered
description: "Normal logo fetch with theme param, no traversal sequence"
- input: "POST /api/system/upload-logo uploading company-logo.png as the new appearance logo"
expected: not_triggered
description: "Legitimate logo upload with a clean filename"
- input: "The /api/system/logo endpoint serves the branding image configured in Appearance settings."
expected: not_triggered
description: "Generic mention of the endpoint with no exploit token or traversal"