Unrated severityNVD Advisory· Published Mar 20, 2025· Updated Oct 15, 2025
Prisma Injection in mintplex-labs/anything-llm
CVE-2024-8251
Description
A vulnerability in mintplex-labs/anything-llm prior to version 1.2.2 allows for Prisma injection. The issue exists in the API endpoint "/embed/:embedId/stream-chat" where user-provided JSON is directly taken to the Prisma library's where clause. An attacker can exploit this by providing a specially crafted JSON object, such as {"sessionId":{"not":"a"}}, causing Prisma to return all data from the table. This can lead to unauthorized access to all user queries in embedded chat mode.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <1.2.2
- mintplex-labs/mintplex-labs/anything-llmv5Range: unspecified
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.