Dangerous AI Security Vulnerability Discovered in AnythingLLM – still unpatched.

Munich, July 2025 – mgm security partners GmbH has identified a dangerous security vulnerability in the widely used application AnythingLLM. This is a susceptibility to Cross-Prompt Injection Attacks (XPIA), which in the case of AnythingLLM carries a significantly higher risk of damage: injected malicious code can embed itself and attack other chats within the same workspace. There is urgent need for action, particularly for companies where AnythingLLM has gained traction as an internal chatbot solution. Despite being contacted about the vulnerability, the vendor Mintplex Labs did not respond. To date, the flaw remains unpatched.

The vulnerability, tracked as CVE-2025-44822, was discovered on March 3, 2025 by mgm security partners and immediately reported to Mintplex Labs. mgm security partners demonstrated how an attacker can exploit the weakness to inject malicious code via a single chat interaction, then target all active or subsequently opened chat histories within the same workspace. Users need only attach one specially crafted document. The manipulations are invisible to the naked eye and can only be revealed through targeted investigation.

The attack begins with the injection of malicious instructions (XPIA) into data sources, which are then processed by the LLM application. This flaw bypasses the built-in security mechanisms of the LLM — from input validation to handling external content. After a successful XPIA attack, an adversary can abuse the markdown formatting functions intended for text styling to exfiltrate sensitive user data to external servers.

Key aspects of the vulnerability:

* Persistent threat: Attackers gain continuous access to all messages of all chats within the same workspace through XPIA in documents.
* Invisible attacks: The malicious instructions can be embedded in documents in a way that makes it nearly impossible for the user to detect the attack.
* Multiple points of attack: Other possible attack vectors exist via plugin integrations, custom agents and tools.

Need for action for affected companies

As Mintplex Labs has not responded even after a 90-day deadline for responsible disclosure of the vulnerability (Responsible Disclosure Procedure) was set and a final request to respond expired, mgm security partners is now publishing the vulnerability found. The current version 1.8.4 as of 29.07.25 is still vulnerable.

There is an increased risk for companies and their employees who use AnythingLLM together with untrusted documents. The outflow of sensitive data is difficult to detect at network level unless HTTP traffic is comprehensively monitored. Therefore, manually checking all chats and documents is currently the only reliable way to detect an attack. Temporary protection measures such as Guardrails can provide support, but do not offer complete security. Until an update for AnythingLLM is released that prevents the automatic integration of external content, no untrusted sources - such as documents, plugins or tools - should be used.

Further information

A detailed description of the vulnerability and the attack process can be found at this link: https://www.mgm-sp.com/anythingllm.

mgm security partners gmbh
Taunusstr. 23
80807 München
Germany

https://www.mgm-sp.com

Herr Thomas Schreiber
089/358680-880

thomas.schreiber@mgm-sp.com

mgm security partners specializes in application security. The company helps customers to develop and deploy software securely - from classic web applications to AI-based systems. This includes sound advice on securing web and mobile applications, implementing DevSecOps strategies and the secure use of generative AI and large language models (LLMs). With penetration tests, code reviews and security analyses as well as tool-supported Application Security Posture Management (ASPM), mgm security partners supports continuous risk monitoring.

This release was published on openPR.