CVE-2025-63390

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-63390

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63390.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-63390

Published

2025-12-18T16:15:54.867Z

Modified

2026-01-24T05:49:38.732230Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Exposed data includes: workspace identifiers (id, name, slug), AI model configurations (chatProvider, chatModel, agentProvider), system prompts (openAiPrompt), operational parameters (temperature, history length, similarity thresholds), vector search settings, chat modes, and timestamps.

References

Affected packages

Git / github.com/mintplex-labs/anything-llm

Affected ranges

Type: GIT
Repo: https://github.com/mintplex-labs/anything-llm
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

e6a33ec0911f88d2b7a53ad7d244c34df92cbd07

Affected versions

v1.*

v1.0.0

v1.1.0

v1.1.1

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.3.0

v1.4.0

v1.7.4

v1.7.5

v1.7.6

v1.7.8

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.8.4

v1.8.5

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63390.json"