CVE-2024-12534: Open WebUI Uncontrolled Resource Consumption vulnerability

March 20, 2025 (updated March 21, 2025)

In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign-in process due to the lack of character length validation on these inputs. This vulnerability can lead to a Denial of Service (DoS) condition when a user submits excessively large strings, exhausting server resources such as CPU, memory, and disk space, and rendering the service unavailable for legitimate users. This makes the server susceptible to resource exhaustion attacks without requiring authentication.

References

github.com/advisories/GHSA-g3mx-83mp-3rwc
github.com/open-webui/open-webui
github.com/open-webui/open-webui/blob/e8babe62bc8e466be0367703fd062a981f5c2394/src/lib/apis/auths/index.ts
huntr.com/bounties/c7c0a4e6-acd3-49b4-8684-2c2c27014b76
nvd.nist.gov/vuln/detail/CVE-2024-12534

Code Behaviors & Features

Detect and mitigate CVE-2024-12534 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →