Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-63390

CVE-2025-63390: AnythingLLM Auth Bypass Vulnerability

CVE-2025-63390 is an authentication bypass flaw in Mintplexlabs AnythingLLM v1.8.5 that lets attackers access workspace data without authentication. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-63390 Overview

CVE-2025-63390 is an authentication bypass vulnerability in Mintplex Labs AnythingLLM version 1.8.5. The /api/workspaces endpoint fails to enforce authentication, allowing unauthenticated remote attackers to enumerate every workspace configured on a vulnerable instance. Exposed data includes workspace identifiers, AI model configurations, system prompts (openAiPrompt), operational parameters such as temperature and history length, vector search settings, chat modes, and timestamps. The flaw is classified under [CWE-306: Missing Authentication for Critical Function]. It affects confidentiality only, with no direct impact to integrity or availability.

Critical Impact

Unauthenticated attackers can retrieve sensitive workspace configurations, including proprietary system prompts and AI model settings, from any exposed AnythingLLM 1.8.5 deployment.

Affected Products

  • Mintplex Labs AnythingLLM version 1.8.5
  • Deployments exposing the /api/workspaces endpoint to untrusted networks
  • Self-hosted AnythingLLM instances without an upstream authentication proxy

Discovery Timeline

  • 2025-12-18 - CVE-2025-63390 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-63390

Vulnerability Analysis

AnythingLLM is a document-focused large language model (LLM) application that organizes user context into workspaces. Each workspace stores an AI model configuration, a system prompt, retrieval parameters, and conversation history. The /api/workspaces endpoint is intended to return this information to authenticated administrators. In version 1.8.5, the route handler omits the middleware that validates the caller's session or API token. As a result, any client that can reach the HTTP interface receives the full workspace list in JSON form.

The disclosed fields include id, name, slug, chatProvider, chatModel, agentProvider, openAiPrompt, temperature, history length, similarity thresholds, vector search settings, and chat modes. System prompts often encode proprietary logic, internal data references, and business context. Their disclosure can enable prompt reconstruction, targeted prompt injection, and reconnaissance for follow-on attacks against connected model providers.

Root Cause

The root cause is missing authentication on a critical function. The route does not attach the authentication middleware used by adjacent administrative endpoints, so requests bypass session and API token validation entirely. This is a classic [CWE-306] design defect rather than a flaw in the underlying authentication logic.

Attack Vector

Exploitation requires only network reachability to the AnythingLLM HTTP interface. An attacker issues an unauthenticated HTTP GET request to /api/workspaces and parses the JSON response. No user interaction, credentials, or elevated privileges are required. A proof-of-concept is referenced in the GitHub Gist PoC and an accompanying GitHub Gist Code Snippet.

Detection Methods for CVE-2025-63390

Indicators of Compromise

  • Unauthenticated HTTP GET requests to /api/workspaces originating from external or unexpected internal source addresses.
  • HTTP 200 responses to /api/workspaces where the request carries no Authorization header or session cookie.
  • Sequential enumeration patterns hitting /api/workspaces followed by workspace-specific endpoints using discovered slug values.

Detection Strategies

  • Inspect reverse proxy or web application firewall (WAF) logs for requests to /api/workspaces lacking authentication headers.
  • Correlate access to /api/workspaces with subsequent access to downstream workspace routes to identify reconnaissance chains.
  • Alert on any external source address reaching AnythingLLM API paths if the service is intended for internal use only.

Monitoring Recommendations

  • Forward AnythingLLM application and proxy logs to a centralized logging platform for retention and query.
  • Baseline expected callers to the /api/workspaces endpoint and alert on deviations.
  • Monitor outbound traffic from AnythingLLM hosts to configured model providers for anomalous prompt patterns that may follow prompt reconstruction.

How to Mitigate CVE-2025-63390

Immediate Actions Required

  • Remove direct internet exposure of AnythingLLM 1.8.5 instances until an authenticated build is deployed.
  • Place the application behind a reverse proxy that enforces authentication on /api/workspaces and related routes.
  • Rotate any credentials, API keys, or secrets referenced within exposed system prompts (openAiPrompt).
  • Review the GitHub Issues Discussion for vendor updates and follow-on fixes.

Patch Information

No vendor advisory URL is listed in the NVD record at time of writing. Operators should monitor the Mintplex Labs AnythingLLM repository and upgrade to a release later than 1.8.5 once a fix that adds authentication to /api/workspaces is published. Track the GitHub Issues Discussion for the corresponding pull request and release notes.

Workarounds

  • Enforce authentication at an upstream reverse proxy (for example, nginx auth_request, an OAuth2 proxy, or a service mesh policy) on all /api/workspaces paths.
  • Restrict inbound access to the AnythingLLM port using host firewalls, security groups, or network policies so that only trusted management networks can reach the API.
  • Remove sensitive content and secrets from workspace system prompts until authentication is restored, reducing the impact of any subsequent disclosure.
bash
# Example nginx snippet enforcing basic auth on the vulnerable route
location /api/workspaces {
    auth_basic "AnythingLLM Admin";
    auth_basic_user_file /etc/nginx/.htpasswd;
    proxy_pass http://127.0.0.1:3001;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.