CVE-2024-8053: Open WebUI lacks authentication for the `api/v1/utils/pdf` endpoint

March 20, 2025 (updated March 21, 2025)

In version v0.3.10 of open-webui/open-webui, the api/v1/utils/pdf endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. This vulnerability can be exploited by sending a POST request with an excessively large payload, potentially leading to server resource exhaustion and denial of service (DoS). Additionally, unauthorized users can misuse the endpoint to generate PDFs without verification, resulting in service misuse and potential operational and financial impacts.

References

github.com/advisories/GHSA-9vf8-xgwm-97r8
github.com/open-webui/open-webui
huntr.com/bounties/ebe8c1fa-113b-4df9-be03-a406b9adb9f4
nvd.nist.gov/vuln/detail/CVE-2024-8053

Code Behaviors & Features

Detect and mitigate CVE-2024-8053 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →