CVE-2024-12537: Open WebUI Uncontrolled Resource Consumption vulnerability

March 20, 2025 (updated March 21, 2025)

In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the api/v1/utils/code/format endpoint. If a malicious actor sends a POST request with an excessively high volume of content, the server could become completely unresponsive. This could lead to severe performance issues, causing the server to become unresponsive or experience significant degradation, ultimately resulting in service interruptions for legitimate users.

References

github.com/advisories/GHSA-chf7-q7m5-fq92
github.com/open-webui/open-webui
github.com/open-webui/open-webui/blob/e8babe62bc8e466be0367703fd062a981f5c2394/src/lib/apis/utils/index.ts
huntr.com/bounties/edabd06c-acc0-428c-a481-271f333755bc
nvd.nist.gov/vuln/detail/CVE-2024-12537

Code Behaviors & Features

Detect and mitigate CVE-2024-12537 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →