Open WebUI Unauthenticated Multipart Boundary Denial of Service (DoS) Vulnerability in api/chat/file

GHSA-6wj5-5pgr-jwq8

Published Mar 20, 2025 · Modified Apr 15, 2025

Description

A vulnerability in open-webui/open-webui version 79778fa allows an attacker to cause a Denial of Service (DoS) by uploading a file with a malformed multipart boundary. By appending a large number of characters to the end of the multipart boundary, the server continuously processes each character, rendering the application inaccessible. This issue can prevent all users from accessing the application until the server recovers.

References

WEB https://github.com/Kludex/python-multipart/security/advisories/GHSA-59g5-xgcq-4qw3
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-53981
WEB https://github.com/open-webui/open-webui/commit/f311c03a21dc09e279a0cad7482a68b273517baf
PACKAGE https://github.com/open-webui/open-webui
WEB https://huntr.com/bounties/15eb4fbe-70d4-420e-806a-ec6f4ecb7202

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes