[PR #5559] [CLOSED] fix: the document collector performs outbound http r... in index.js #5485

Closed
opened 2026-06-05 15:21:30 -04:00 by yindo · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/Mintplex-Labs/anything-llm/pull/5559
Author: @orbisai0security
Created: 4/29/2026
Status: Closed

Base: masterHead: fix-ssrf-path-traversal-download-uri


📝 Commits (1)

  • ae8342c fix: V-001 security vulnerability

📊 Changes

2 files changed (+9 additions, -3 deletions)

View changed files

📝 collector/utils/downloadURIToFile/index.js (+4 -2)
📝 collector/utils/url/index.js (+5 -1)

📄 Description

Summary

Fix critical severity security issue in collector/utils/downloadURIToFile/index.js.

Vulnerability

Field Value
ID V-001
Severity CRITICAL
Scanner multi_agent_ai
Rule V-001
File collector/utils/downloadURIToFile/index.js:44

Description: The document collector performs outbound HTTP requests using fetch() with user-supplied URLs without validating against an allowlist or blocking private and internal IP ranges. In downloadURIToFile/index.js:44, the url parameter is fetched directly with no validation. In ConfluenceLoader/index.js:73, the url is fetched with authentication headers attached, meaning internal services that receive the request will also receive the Confluence credentials. No IP range validation, DNS rebinding protection, or allowlist enforcement is present in either file.

Changes

  • collector/utils/url/index.js
  • collector/utils/downloadURIToFile/index.js

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Automated security fix by OrbisAI Security


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/Mintplex-Labs/anything-llm/pull/5559 **Author:** [@orbisai0security](https://github.com/orbisai0security) **Created:** 4/29/2026 **Status:** ❌ Closed **Base:** `master` ← **Head:** `fix-ssrf-path-traversal-download-uri` --- ### 📝 Commits (1) - [`ae8342c`](https://github.com/Mintplex-Labs/anything-llm/commit/ae8342c0feecdbb153ab44be1cc7691689b1a992) fix: V-001 security vulnerability ### 📊 Changes **2 files changed** (+9 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `collector/utils/downloadURIToFile/index.js` (+4 -2) 📝 `collector/utils/url/index.js` (+5 -1) </details> ### 📄 Description ## Summary Fix critical severity security issue in `collector/utils/downloadURIToFile/index.js`. ## Vulnerability | Field | Value | |-------|-------| | **ID** | V-001 | | **Severity** | CRITICAL | | **Scanner** | multi_agent_ai | | **Rule** | `V-001` | | **File** | `collector/utils/downloadURIToFile/index.js:44` | **Description**: The document collector performs outbound HTTP requests using fetch() with user-supplied URLs without validating against an allowlist or blocking private and internal IP ranges. In downloadURIToFile/index.js:44, the url parameter is fetched directly with no validation. In ConfluenceLoader/index.js:73, the url is fetched with authentication headers attached, meaning internal services that receive the request will also receive the Confluence credentials. No IP range validation, DNS rebinding protection, or allowlist enforcement is present in either file. ## Changes - `collector/utils/url/index.js` - `collector/utils/downloadURIToFile/index.js` ## Verification - [x] Build passes - [x] Scanner re-scan confirms fix - [x] LLM code review passed --- *Automated security fix by [OrbisAI Security](https://orbisappsec.com)* --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
yindo added the pull-request label 2026-06-05 15:21:30 -04:00
yindo closed this issue 2026-06-05 15:21:30 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Mintplex-Labs/anything-llm#5485