CVE-2024-5213: 
Homebrew vulnerability analysis and mitigation

A sensitive information exposure vulnerability was discovered in mintplex-labs/anything-llm versions up to and including 1.5.3. The vulnerability occurs when the password hash of a user is returned in API responses after login (POST /api/request-token) and account creation (POST /api/admin/users/new) operations (NVD).

The vulnerability stems from including the entire User object, including the bcrypt password hash, in API responses sent to the frontend. While bcrypt is a strong hashing algorithm, exposing password hashes is considered a security risk. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

This vulnerability could lead to sensitive information exposure by revealing password hashes to clients. Even though bcrypt is used for hashing, exposing these hashes could potentially assist attackers in offline password cracking attempts (NVD).

The issue has been patched by implementing proper user object filtering before sending responses to the frontend. The fix involves creating a filterFields function that removes sensitive fields like password hashes from user objects before they are returned in API responses (GitHub Patch).