Skip to content
ATR-2026-01978critical工具下毒draft

AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)

CVE-2023-5832: mintplex-labs/anything-llm < 0.1.0 collector API exposes POST /process which passes the request JSON 'filename' field straight into process_single(WATCH_DIRECTORY, filename) without normalization. A filename containing ../ directory-traversal sequences escapes the hotdir / WATCH_DIRECTORY and lets a low-privilege user delete arbitrary files (e.g. ../../server/storage/anythingllm.db). This rule keys on the /process + filename + ../ traversal triad and on traversal payloads targeting anythingllm storage from the collector context.

嚴重度
critical
類別
工具下毒
掃描目標
both
作者
ATR Community

建議回應

alertblock input

參考資料

OWASP Agentic
ASI06:2026 - Tool Misuse
OWASP LLM
LLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0049 - Exploit Public-Facing Application

偵測條件

組合方式: any
  1. 01
    POST /process request whose filename field value begins with one or more ../ traversal segments, the exact CVE-2023-5832 sink shape.
    欄位: content運算子: regex
  2. 02
    filename field carrying a ../ traversal payload that targets the anythingllm.db storage file (DB-deletion exploit primitive).
    欄位: content運算子: regex
  3. 03
    explicit CVE framing
    欄位: content運算子: regex

攻擊範例(規則會觸發)

  1. POST /process {"filename": "../../server/storage/anythingllm.db"}
  2. curl -X POST http://target:8888/process -d '{"filename":"../../../etc/passwd"}'
  3. {"filename": "../../storage/anythingllm.db"}

以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。

正常樣本(規則不會觸發)

  1. Legitimate /process call with a normal in-hotdir document name and no ../ traversal.
    POST /process {"filename": "quarterly-report.pdf"}
  2. Documentation describing the /process endpoint and filename field with no traversal payload.
    The AnythingLLM collector exposes a /process endpoint that takes a filename field to ingest uploaded documents.
  3. Generic mention of anythingllm.db and hotdir with no ../ traversal sequence reaching them.
    Backup of anythingllm.db and the hotdir WATCH_DIRECTORY completed successfully.

已知誤報情境

  • A legitimate POST /process call whose JSON filename is a plain document name inside the hotdir (e.g. {"filename":"report.pdf"}) with no ../ traversal sequence is benign and must not fire.
  • Documentation or code that mentions the AnythingLLM collector /process endpoint or the filename field without any ../ directory-traversal payload.
  • Generic mentions of anythingllm.db, hotdir, or WATCH_DIRECTORY in setup docs/backups without a traversal sequence reaching them.

完整 YAML 定義

在 GitHub 編輯 →
title: "AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)"
id: ATR-2026-01978
rule_version: 1
status: draft
description: >
  CVE-2023-5832: mintplex-labs/anything-llm < 0.1.0 collector API exposes
  POST /process which passes the request JSON 'filename' field straight into
  process_single(WATCH_DIRECTORY, filename) without normalization. A filename
  containing ../ directory-traversal sequences escapes the hotdir / WATCH_DIRECTORY
  and lets a low-privilege user delete arbitrary files (e.g. ../../server/storage/anythingllm.db).
  This rule keys on the /process + filename + ../ traversal triad and on traversal
  payloads targeting anythingllm storage from the collector context.
author: "ATR Community"
date: "2026/06/29"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical
references:
  owasp_llm: ["LLM06:2025 - Excessive Agency"]
  owasp_agentic: ["ASI06:2026 - Tool Misuse"]
  mitre_atlas: ["AML.T0049 - Exploit Public-Facing Application"]
  mitre_attack: ["T1190 - Exploit Public-Facing Application"]
  cve: ["CVE-2023-5832"]
metadata_provenance: { mitre_atlas: human-reviewed, owasp_llm: human-reviewed, owasp_agentic: human-reviewed }
compliance:
  eu_ai_act:
    - article: "15"
      context: "Article 15 (accuracy, robustness, cybersecurity) — runtime detection of this technique is a cybersecurity control for high-risk AI systems. Technique: AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)."
      strength: primary
    - article: "9"
      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control. Technique: AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)."
      strength: secondary
  nist_ai_rmf:
    - subcategory: "MP.5.1"
      context: "NIST AI RMF MAP 5.1 — likelihood and impact of the identified attack are characterised; this rule detects the adversarial input at runtime. Technique: AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)."
      strength: primary
    - subcategory: "MG.3.2"
      context: "NIST AI RMF MANAGE 3.2 — runtime monitoring/maintenance control that surfaces this attack class. Technique: AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)."
      strength: secondary
  iso_42001:
    - clause: "8.1"
      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control) — detection of this payload is an operational control. Technique: AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)."
      strength: primary
    - clause: "8.3"
      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) — this rule implements runtime detection as a treatment control. Technique: AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)."
      strength: secondary
tags: { category: tool-poisoning, subcategory: path-traversal, scan_target: both, confidence: high, source: cve-disclosure, vendor_sources: anythingllm-cve-2023-5832 }
agent_source: { type: llm_io, framework: [any], provider: [any] }
detection:
  condition: any
  false_positives:
    - "A legitimate POST /process call whose JSON filename is a plain document name inside the hotdir (e.g. {\"filename\":\"report.pdf\"}) with no ../ traversal sequence is benign and must not fire."
    - "Documentation or code that mentions the AnythingLLM collector /process endpoint or the filename field without any ../ directory-traversal payload."
    - "Generic mentions of anythingllm.db, hotdir, or WATCH_DIRECTORY in setup docs/backups without a traversal sequence reaching them."
  conditions:
    - field: content
      operator: regex
      value: '(?i)/process\b[\s\S]{0,200}["'']?filename["'']?\s*[:=]\s*["'']?(?:\.\.[\\/]){1,}'
      description: "POST /process request whose filename field value begins with one or more ../ traversal segments, the exact CVE-2023-5832 sink shape."
    - field: content
      operator: regex
      value: '(?i)["'']?filename["'']?\s*[:=]\s*["'']?(?:\.\.[\\/]){1,}[^"''\s]{0,120}(?:storage[\\/])?anythingllm\.db'
      description: "filename field carrying a ../ traversal payload that targets the anythingllm.db storage file (DB-deletion exploit primitive)."
    - field: content
      operator: regex
      value: '(?i)CVE-2023-5832[\s\S]{0,200}(?:path traversal|directory traversal|arbitrary file deletion|hotdir|/process)'
      description: "explicit CVE framing"
response:
  actions: [alert, block_input]
  message_template: >
    [ATR-2026-01978] CRITICAL: AnythingLLM collector POST /process accepts a filename with ../ traversal, enabling arbitrary file deletion outside the hotdir (e.g. anythingllm.db) on versions < 0.1.0 (CVE-2023-5832). Block and patch.
confidence: 80
wild_fp_rate: 0
test_cases:
  true_positives:
    - input: 'POST /process {"filename": "../../server/storage/anythingllm.db"}'
      expected: triggered
      description: "Collector /process call with filename traversing out of the hotdir to delete the AnythingLLM database, the canonical CVE-2023-5832 exploit."
    - input: 'curl -X POST http://target:8888/process -d ''{"filename":"../../../etc/passwd"}'''
      expected: triggered
      description: "filename field with stacked ../ segments against /process escapes WATCH_DIRECTORY."
    - input: '{"filename": "../../storage/anythingllm.db"}'
      expected: triggered
      description: "filename traversal payload explicitly targeting the anythingllm.db storage file."
  true_negatives:
    - input: 'POST /process {"filename": "quarterly-report.pdf"}'
      expected: not_triggered
      description: "Legitimate /process call with a normal in-hotdir document name and no ../ traversal."
    - input: 'The AnythingLLM collector exposes a /process endpoint that takes a filename field to ingest uploaded documents.'
      expected: not_triggered
      description: "Documentation describing the /process endpoint and filename field with no traversal payload."
    - input: 'Backup of anythingllm.db and the hotdir WATCH_DIRECTORY completed successfully.'
      expected: not_triggered
      description: "Generic mention of anythingllm.db and hotdir with no ../ traversal sequence reaching them."

修訂歷史

建立於
2026-06-29
最後修改
2026-07-02
在 GitHub 查看完整 commit 歷史 →