ATR-2026-01978critical工具下毒draft
AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)
CVE-2023-5832: mintplex-labs/anything-llm < 0.1.0 collector API exposes POST /process which passes the request JSON 'filename' field straight into process_single(WATCH_DIRECTORY, filename) without normalization. A filename containing ../ directory-traversal sequences escapes the hotdir / WATCH_DIRECTORY and lets a low-privilege user delete arbitrary files (e.g. ../../server/storage/anythingllm.db). This rule keys on the /process + filename + ../ traversal triad and on traversal payloads targeting anythingllm storage from the collector context.
嚴重度
critical
類別
工具下毒
掃描目標
both
作者
ATR Community
建議回應
alertblock input
參考資料
OWASP Agentic
ASI06:2026 - Tool Misuse
OWASP LLM
LLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0049 - Exploit Public-Facing Application
偵測條件
組合方式: any- 01POST /process request whose filename field value begins with one or more ../ traversal segments, the exact CVE-2023-5832 sink shape.欄位: content運算子: regex
- 02filename field carrying a ../ traversal payload that targets the anythingllm.db storage file (DB-deletion exploit primitive).欄位: content運算子: regex
- 03explicit CVE framing欄位: content運算子: regex
攻擊範例(規則會觸發)
POST /process {"filename": "../../server/storage/anythingllm.db"}curl -X POST http://target:8888/process -d '{"filename":"../../../etc/passwd"}'{"filename": "../../storage/anythingllm.db"}
以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。
正常樣本(規則不會觸發)
- Legitimate /process call with a normal in-hotdir document name and no ../ traversal.
POST /process {"filename": "quarterly-report.pdf"} - Documentation describing the /process endpoint and filename field with no traversal payload.
The AnythingLLM collector exposes a /process endpoint that takes a filename field to ingest uploaded documents.
- Generic mention of anythingllm.db and hotdir with no ../ traversal sequence reaching them.
Backup of anythingllm.db and the hotdir WATCH_DIRECTORY completed successfully.
已知誤報情境
- ▸A legitimate POST /process call whose JSON filename is a plain document name inside the hotdir (e.g. {"filename":"report.pdf"}) with no ../ traversal sequence is benign and must not fire.
- ▸Documentation or code that mentions the AnythingLLM collector /process endpoint or the filename field without any ../ directory-traversal payload.
- ▸Generic mentions of anythingllm.db, hotdir, or WATCH_DIRECTORY in setup docs/backups without a traversal sequence reaching them.
完整 YAML 定義
在 GitHub 編輯 →title: "AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)"
id: ATR-2026-01978
rule_version: 1
status: draft
description: >
CVE-2023-5832: mintplex-labs/anything-llm < 0.1.0 collector API exposes
POST /process which passes the request JSON 'filename' field straight into
process_single(WATCH_DIRECTORY, filename) without normalization. A filename
containing ../ directory-traversal sequences escapes the hotdir / WATCH_DIRECTORY
and lets a low-privilege user delete arbitrary files (e.g. ../../server/storage/anythingllm.db).
This rule keys on the /process + filename + ../ traversal triad and on traversal
payloads targeting anythingllm storage from the collector context.
author: "ATR Community"
date: "2026/06/29"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical
references:
owasp_llm: ["LLM06:2025 - Excessive Agency"]
owasp_agentic: ["ASI06:2026 - Tool Misuse"]
mitre_atlas: ["AML.T0049 - Exploit Public-Facing Application"]
mitre_attack: ["T1190 - Exploit Public-Facing Application"]
cve: ["CVE-2023-5832"]
metadata_provenance: { mitre_atlas: human-reviewed, owasp_llm: human-reviewed, owasp_agentic: human-reviewed }
compliance:
eu_ai_act:
- article: "15"
context: "Article 15 (accuracy, robustness, cybersecurity) — runtime detection of this technique is a cybersecurity control for high-risk AI systems. Technique: AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)."
strength: primary
- article: "9"
context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control. Technique: AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)."
strength: secondary
nist_ai_rmf:
- subcategory: "MP.5.1"
context: "NIST AI RMF MAP 5.1 — likelihood and impact of the identified attack are characterised; this rule detects the adversarial input at runtime. Technique: AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)."
strength: primary
- subcategory: "MG.3.2"
context: "NIST AI RMF MANAGE 3.2 — runtime monitoring/maintenance control that surfaces this attack class. Technique: AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)."
strength: secondary
iso_42001:
- clause: "8.1"
context: "ISO/IEC 42001 Clause 8.1 (operational planning and control) — detection of this payload is an operational control. Technique: AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)."
strength: primary
- clause: "8.3"
context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) — this rule implements runtime detection as a treatment control. Technique: AnythingLLM collector /process filename Path Traversal Arbitrary File Deletion (CVE-2023-5832)."
strength: secondary
tags: { category: tool-poisoning, subcategory: path-traversal, scan_target: both, confidence: high, source: cve-disclosure, vendor_sources: anythingllm-cve-2023-5832 }
agent_source: { type: llm_io, framework: [any], provider: [any] }
detection:
condition: any
false_positives:
- "A legitimate POST /process call whose JSON filename is a plain document name inside the hotdir (e.g. {\"filename\":\"report.pdf\"}) with no ../ traversal sequence is benign and must not fire."
- "Documentation or code that mentions the AnythingLLM collector /process endpoint or the filename field without any ../ directory-traversal payload."
- "Generic mentions of anythingllm.db, hotdir, or WATCH_DIRECTORY in setup docs/backups without a traversal sequence reaching them."
conditions:
- field: content
operator: regex
value: '(?i)/process\b[\s\S]{0,200}["'']?filename["'']?\s*[:=]\s*["'']?(?:\.\.[\\/]){1,}'
description: "POST /process request whose filename field value begins with one or more ../ traversal segments, the exact CVE-2023-5832 sink shape."
- field: content
operator: regex
value: '(?i)["'']?filename["'']?\s*[:=]\s*["'']?(?:\.\.[\\/]){1,}[^"''\s]{0,120}(?:storage[\\/])?anythingllm\.db'
description: "filename field carrying a ../ traversal payload that targets the anythingllm.db storage file (DB-deletion exploit primitive)."
- field: content
operator: regex
value: '(?i)CVE-2023-5832[\s\S]{0,200}(?:path traversal|directory traversal|arbitrary file deletion|hotdir|/process)'
description: "explicit CVE framing"
response:
actions: [alert, block_input]
message_template: >
[ATR-2026-01978] CRITICAL: AnythingLLM collector POST /process accepts a filename with ../ traversal, enabling arbitrary file deletion outside the hotdir (e.g. anythingllm.db) on versions < 0.1.0 (CVE-2023-5832). Block and patch.
confidence: 80
wild_fp_rate: 0
test_cases:
true_positives:
- input: 'POST /process {"filename": "../../server/storage/anythingllm.db"}'
expected: triggered
description: "Collector /process call with filename traversing out of the hotdir to delete the AnythingLLM database, the canonical CVE-2023-5832 exploit."
- input: 'curl -X POST http://target:8888/process -d ''{"filename":"../../../etc/passwd"}'''
expected: triggered
description: "filename field with stacked ../ segments against /process escapes WATCH_DIRECTORY."
- input: '{"filename": "../../storage/anythingllm.db"}'
expected: triggered
description: "filename traversal payload explicitly targeting the anythingllm.db storage file."
true_negatives:
- input: 'POST /process {"filename": "quarterly-report.pdf"}'
expected: not_triggered
description: "Legitimate /process call with a normal in-hotdir document name and no ../ traversal."
- input: 'The AnythingLLM collector exposes a /process endpoint that takes a filename field to ingest uploaded documents.'
expected: not_triggered
description: "Documentation describing the /process endpoint and filename field with no traversal payload."
- input: 'Backup of anythingllm.db and the hotdir WATCH_DIRECTORY completed successfully.'
expected: not_triggered
description: "Generic mention of anythingllm.db and hotdir with no ../ traversal sequence reaching them."