CVE-2024-7999: Open WebUI Unauthenticated Multipart Boundary Denial of Service (DoS) Vulnerability in api/chat/file

March 20, 2025 (updated March 21, 2025)

A vulnerability in open-webui/open-webui version 79778fa allows an attacker to cause a Denial of Service (DoS) by uploading a file with a malformed multipart boundary. By appending a large number of characters to the end of the multipart boundary, the server continuously processes each character, rendering the application inaccessible. This issue can prevent all users from accessing the application until the server recovers.

References

github.com/advisories/GHSA-6wj5-5pgr-jwq8
github.com/open-webui/open-webui
github.com/open-webui/open-webui/commit/f311c03a21dc09e279a0cad7482a68b273517baf
huntr.com/bounties/15eb4fbe-70d4-420e-806a-ec6f4ecb7202
nvd.nist.gov/vuln/detail/CVE-2024-7999

Code Behaviors & Features

Detect and mitigate CVE-2024-7999 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →