AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-sear…

AnythingLLM versions prior to 1.13.0 contain a command injection vulnerability in the filesystem-search-files agent skill. The vulnerability occurs when the LLM-controlled pattern parameter is passed to ripgrep without proper argument separation, allowing attackers to execute arbitrary commands. An attacker who can chat with an agent on a deployment with the filesystem plugin enabled can exploit this vulnerability by crafting malicious patterns that turn ripgrep into a script executor. Combined with the filesystem-write-text-file skill, this allows arbitrary command execution inside the AnythingLLM server container. The vulnerability affects the default Docker image configuration and has been fixed in version 1.13.0.