Open WebUI Uncontrolled Resource Consumption vulnerability

GHSA-chf7-q7m5-fq92 · CVE-2024-12537

Published Mar 20, 2025 · Modified Apr 1, 2025

Description

In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the api/v1/utils/code/format endpoint. If a malicious actor sends a POST request with an excessively high volume of content, the server could become completely unresponsive. This could lead to severe performance issues, causing the server to become unresponsive or experience significant degradation, ultimately resulting in service interruptions for legitimate users.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-12537
PACKAGE https://github.com/open-webui/open-webui
WEB https://github.com/open-webui/open-webui/blob/e8babe62bc8e466be0367703fd062a981f5c2394/src/lib/apis/utils/index.ts#L25-L56
WEB https://huntr.com/bounties/edabd06c-acc0-428c-a481-271f333755bc

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes