CVE-2024-7037: open-webui allows writing and deleting arbitrary files

October 9, 2024

In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHE_DIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote code execution.

References

github.com/advisories/GHSA-54f4-v6v9-9q82
github.com/open-webui/open-webui
github.com/open-webui/open-webui/blob/main/backend/main.py
huntr.com/bounties/8508db68-9c99-4b1c-828c-e1bfcacfb847
nvd.nist.gov/vuln/detail/CVE-2024-7037

Detect and mitigate CVE-2024-7037 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →