AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separator. ripgrep parses any argument that starts with - as an option, so a pattern of --pre=/bin/sh turns ripgrep into a script executor: it runs /bin/sh <file> for every file it walks. An attacker who can chat with an agent on a deployment with the filesystem plugin enabled (the default in the official Docker image) can use this, together with the sibling filesystem-write-text-file skill, to run arbitrary commands inside the AnythingLLM server container. This vulnerability is fixed in 1.13.0.
AnythingLLM versions prior to 1.13.0 contain a command injection vulnerability in the filesystem-search-files agent skill that allows attackers to execute arbitrary commands through ripgrep option injection. An attacker with chat access to an agent deployment can exploit this vulnerability combined with the filesystem-write-text-file skill to achieve remote code execution within the AnythingLLM container.
تحتوي AnythingLLM على ثغرة حقن أوامر في مهارة البحث في نظام الملفات حيث يتم تمرير معاملات يتحكم بها نموذج اللغة إلى ripgrep دون فاصل نهاية الخيارات. يمكن لمهاجم لديه إمكانية الوصول إلى وكيل الدردشة استخدام هذه الثغرة مع مهارة كتابة الملفات لتنفيذ أوامر تعسفية داخل حاوية الخادم.
AnythingLLM versions prior to 1.13.0 contain a command injection vulnerability in the filesystem-search-files agent skill that allows attackers to execute arbitrary commands through ripgrep option injection. An attacker with chat access to an agent deployment can exploit this vulnerability combined with the filesystem-write-text-file skill to achieve remote code execution within the AnythingLLM container.
Upgrade AnythingLLM to version 1.13.0 or later immediately. Disable the filesystem plugin if not required. Implement network segmentation to restrict access to AnythingLLM deployments. Apply principle of least privilege to container runtime permissions. Monitor for suspicious ripgrep execution patterns and command injection attempts in logs.
قم بترقية AnythingLLM إلى الإصدار 1.13.0 أو أحدث فوراً. عطّل مكون نظام الملفات إذا لم يكن مطلوباً. طبّق تقسيم الشبكة لتقييد الوصول إلى نشرات AnythingLLM. طبّق مبدأ الامتيازات الأقل على أذونات وقت تشغيل الحاوية. راقب أنماط تنفيذ ripgrep المريبة ومحاولات حقن الأوامر في السجلات.