CVE-2024-8053 – open-webui

Package

Manager: pip
Name: open-webui
Vulnerable Version: >=0 <=0.3.10

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00544 pctl0.66774

Details

Open WebUI lacks authentication for the `api/v1/utils/pdf` endpoint In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. This vulnerability can be exploited by sending a POST request with an excessively large payload, potentially leading to server resource exhaustion and denial of service (DoS). Additionally, unauthorized users can misuse the endpoint to generate PDFs without verification, resulting in service misuse and potential operational and financial impacts.

Metadata

Created: 2025-03-20T12:32:47Z
Modified: 2025-03-21T21:23:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-9vf8-xgwm-97r8/GHSA-9vf8-xgwm-97r8.json
CWE IDs: ["CWE-287", "CWE-306"]
Alternative ID: GHSA-9vf8-xgwm-97r8
Finding: F039
Auto approve: 1