CVE-2024-12537
Open WebUI Uncontrolled Resource Consumption vulnerability
Description
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/utils/code/format` endpoint. If a malicious actor sends a POST request with an excessively high volume of content, the server could become completely unresponsive. This could lead to severe performance issues, causing the server to become unresponsive or experience significant degradation, ultimately resulting in service interruptions for legitimate users.
How to fix CVE-2024-12537
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
- —no fix listed
Is CVE-2024-12537 being exploited?
Low — EPSS is 2.7%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, <= 0.3.32
- from 0, <= 0.3.32
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |