CVE-2024-12534 – open-webui

Package

Manager: npm
Name: open-webui
Vulnerable Version: >=0 <=0.3.32 || >=0 <=0.3.32

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00298 pctl0.52685

Details

Open WebUI Uncontrolled Resource Consumption vulnerability In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign-in process due to the lack of character length validation on these inputs. This vulnerability can lead to a Denial of Service (DoS) condition when a user submits excessively large strings, exhausting server resources such as CPU, memory, and disk space, and rendering the service unavailable for legitimate users. This makes the server susceptible to resource exhaustion attacks without requiring authentication.

Metadata

Created: 2025-03-20T12:32:43Z
Modified: 2025-03-21T17:30:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-g3mx-83mp-3rwc/GHSA-g3mx-83mp-3rwc.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-g3mx-83mp-3rwc
Finding: F067
Auto approve: 1