mirror of
https://github.com/Mintplex-Labs/anything-llm.git
synced 2026-07-19 14:13:35 -04:00
Closed
opened 2026-06-05 14:52:41 -04:00 by yindo
·
0 comments
No Branch/Tag Specified
master
5846-bug-when-scrolling-up-scrolling-jumps
refactor-remove-workspace-pfp
5969-bug-stopgenerationbutton-disappears-on-the-first-prompt-that-initiates-an-agent-session
2235-bug-how-to-upload-a-folder-with-subfolders-with-files-to-anythingllm
5990-workspace-update-fails-with-unknown-argument-router_id-v1130v1150-intel-mac
opencomputer-examples
pg
feat/image-generation-translations
feat/image-generation
5924-bug-meeting-summary-fails-with-sincludes-is-not-a-function-when-default-llm-is-anthropic-claude
render
feat/uniform-modal-component
5883-bug-unescaped-content-in-json-strings-being-passed-to-document-generator-tools
5901-bug-api-update-embeddings-fails-prisma-argument-filename-is-missing-on-workspace_documentscreate-desktop-windows-v1141
hybrid-search
1981-translations
5752-bug-prompts-to-local-jan-endpoint-unresponsive
feat-disable-native-tool-calling-env-var
5676-bug-non-ollama-agent-providers-do-not-parse-and-present-reasoning-content
feat/markdown-web-scraping
5717-bug-apiv1documentupload-silently-drops-metadata-field-in-desktop-1130-arg-count-mismatch-nested-payload-key
fix/aibitat-context-overflow
5711-bug-erratic-deepseek-v4-flash-the-agent-model-failed-to-respond-400-the-reasoning_content
5631-feat-custom-api-request-timeouts-for-ai-providers
feat-reasoning-control
feat-agent-clarifying-questions-translations
5583-bug-lm-studio-provider-does-not-present-reasoning-output
5313-normalize-translations
feat/memory-translations
5305-lemonade-embedding-engine-swallows-errors-falsely-reports-documents-as-embedded
5060-bug-agent-interactions-agent-are-not-persisted-to-thread-history-via-api
pptx-subagent
feat-render-images-from-mcp-tool-results
stt-provider-expansion-openai-api-compatible
feat-file-search-agent-tool
feat-native-embedder-job-queue
5189-normalize-translations
feat-file-search-agent-tool-translations
i18n-eslint
5140-auto-migration
5112-bug-openrouter-failed-message-bug
3506-feat-parameters-for-openrouter-models
4992-feat-preserve-scroll-position
4973-bug-markdown-numbered-list-display-in-reasoning-pane
desktop
4938-bug-pending-chat-rerendering-ui-bug
quickstart-env
node-llama-cpp-in-container-cuda
node-llama-cpp-in-container
ollama-in-container
4817-feat-set-cooldown-per-mcp-server
4845-keyboard-shortcuts-to-navigate-in-chat
4844-feat-reorder-threads-by-latest-interaction
standardize-username-constraints-normalize-translations
4792-feat-refactor-workspacepfp-image
1382-embed-ip-improvements
1382-bug-embed-api-improvements
refactor-eslint-frontend
4687-feat-refactor-vector-db-providers
4615-feat-disable-apidocs-with-environment-variable
4559-feat-agent-web-search-enable-ordering-of-results
4599-bug-ollama-race-condition-bug
4572-bug-lmstudio-provided-llm-stopped-working-with-anything-llm-after-upgrading-to-190
4508-agent-youtube-transcript-analysis
4497-feat-workspace-names
frontend-eslint
ollama-lmstudio-auto-context-window
4431-validate-vector-database-connectioN
2019-slash-command-keyboard-selection
microsoft-foundry-provider
4431-validate-vector-database-connection
4325-sys-prompt-var-improvements
3209-feat-apiv1workspacestream-chat-sources-citations
4210-bug-voice-to-text-overwrite
4136-feat-jan-as-a-backend-server-option
4172-feat-openai-o3-support
1.8.3-rerelease
web-push-notifications-service
tasks
3955-feat-jinaai-embedder-provider-support
3921-feat-agent-skills-uiux-improvements
3901-bug-validfunccall-checks-optional-arguments
keyboard-dev
1787-custom-roles-and-permissions
add-jira-slack-data-connector
office-extension-wip
lightmode-dropdown-color-update
3586-bug-agent-flow-function-description-provided-by-user-is-not-seen-in-the-llm-query
3463-bug-agent-continues-to-run-if-request-failed-even-after-exit
3439-feat-call-variables-within-the-flow-api-block-url-field
3282-manager-view-models-workspace
3280-token-counting-server-side-truncation-improvements
3147-bug-embedded-chat-widget---not-considering-query-mode-option-always-working-in-chat-mode
2995-feat-disable-temperature-setting-for-deepseek-r1-deepseek-reasoner-model
2827-feat-perplexity-citations
2866-feat-finally-a-gemini-models-endpoint
2647-feat-hpp-header-for-a-c++-code-file-mime-addition
lancedb-revert
1656-feat-implement-tooltip-ui-designs
2011-feat-bump-perplexity-models
1873-feat-auto-add-and-watch-folder-for-document-uploads
1297-feat-gemini-agent-support
1759-bug-ui-bug-fixes
1686-feat-implement-winston-for-logging
1536-bug-toggling-on-users-can-delete-workspaces-does-not-take-effect
agent-ui-mobile-styles
1522-feat-chromadb-support
1595-bug-unable-to-get-live-web-search-and-browsing-agent-working-using-google-custom-search-engine-error-getaddrinfo-enotfound-http-errno-3008
1582-bug-lm-studio-does-not-allow-for-different-model-selection
1312-bug-usernames-should-not-be-case-sensitive-when-logging-in
1029-feat-hf-serverless-inference-api
1086-feat-implement-normalized-input-fields
knowledge-graph-support
644-bug-uploaded-file-name-does-not-match-the-displayed-file-name-after-the-upload
v1.15.0
v1.14.2
v1.14.1
v1.14.0
v1.13.0
v1.12.1
v1.12.0
v1.11.2
v1.11.1
v1.11.0
v1.10.0
v1.9.1
v1.9.0
v1.8.5
v1.8.4
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.7.8
v1.7.6
v1.7.5
v1.7.4
v1.4.0
v1.3.0
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.1
v1.1.0
v1.0.0
Labels
Clear labels
Desktop
Docker
Integration Request
Integration Request
OS: Linux
OS: Mobile
OS: Windows
UI/UX
blocked
bug
bug
core-team-only
documentation
duplicate
embed-widget
enhancement
feature request
github_actions
good first issue
investigating
needs info / can't replicate
possible bug
pull-request
question
stage: specifications
wontfix
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Mintplex-Labs/anything-llm#5212
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @timothycarambat on GitHub (May 16, 2026).
Original GitHub issue: https://github.com/Mintplex-Labs/anything-llm/issues/5642
Original from @hariantara
Summary
The May 10 patch in
21ce030(GHSA-vjrp-43mm-j7vw) changed fs.stat to fs.lstat in copy-file.js to stop the recursive copy from following symlinks. The exact same fs.stat anti-pattern still exists in list-directory.js. When the agent is asked to list a directory with includeSizes: true, each entry is fs.stat'd directly, so any symlink entry inside the allowed directory leaks its target's size and mtime, even if the target lives outside the allowed directory.Details
I was reading the fix for GHSA-vjrp-43mm-j7vw and noticed the change was a one-liner: fs.stat to fs.lstat, plus a guard rejecting symlinks. I grepped the same plugin folder for the remaining fs.stat callers:
lib.js:303 (#tailFileRaw) and lib.js:483 (getFileStats) are both called with paths that have already been run through filesystem.validatePath(), which uses fs.realpath and rejects any path whose resolved target falls outside the allowed dirs. Those two are safe.
list-directory.js:104 is different. It validates the parent directory once and then iterates over its entries without re-validating each one:
entry.isDirectory() from the Dirent uses lstat semantics, so the type flag reflects the symlink itself. But fs.stat(entryPath) follows the symlink and returns the target's stats. So if a symlink in the allowed dir points to e.g. /etc/passwd, the agent's response truthfully reports the size and mtime of /etc/passwd.
The threat model is the same one the May 10 advisory used: a pre-existing symlink in the configured filesystem-agent directory. That's common in Docker volume mounts, manually shared dirs, or any setup where another process placed a symlink. The agent tool then becomes a metadata oracle for files outside the allowed area.
Audit summary of the other ops in plugins/filesystem/:
copy-file.js -- already patched by GHSA-vjrp-43mm-j7vw
read-text-file.js, write-text-file.js, move-file.js, edit-file.js, get-file-info.js, read-multiple-files.js -- safe (validatePath resolves symlinks via realpath for every path that reaches fs.*)
list-directory.js -- this report
PoC
Pre-condition: one symlink inside the allowed dir pointing at something outside it. Same pre-condition as the parent advisory.
cd /path/to/your/anythingllm-allowed-dir
ln -s /etc/passwd leaked.txt
Then from a chat with the filesystem agent enabled:
List the current directory with sizes included.
The agent calls filesystem-list-directory with includeSizes: true. The response includes a line like:
[FILE] leaked.txt 3.5 KiB
That 3.5 KiB is the size of /etc/passwd on the server. mtime is also reported in the detailed-entry struct and shows up if you ask the agent to format that field. You can repeat the trick with any path the server process can read.
Impact
Information disclosure (CWE-200) of file metadata -- size, mtime, and isDirectory flag from stats -- for files outside the configured filesystem-agent directory. No file content leaks through this path. Same impact category and threat model as GHSA-vjrp-43mm-j7vw, which was rated Low.
Suggested fix is the same as the parent advisory, one line:
const stats = await fs.lstat(entryPath);
That returns the symlink's own stats instead of following it. Optional polish: when stats.isSymbolicLink() is true and entry.isDirectory() is false, mark it [LINK] in the formatted output so the agent sees it as a symlink instead of a regular file.