PyPI: open-webui
CVE-2024-7044
Safety vulnerability ID: SFTY-20250320-46230
Safety legacy ID: pyup.io-76245
Affected versions of the open-webui package are vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization in the chat file upload functionality. The file upload feature fails to properly validate or sanitize file content before storage and subsequent display, allowing malicious JavaScript to be embedded within uploaded files. An attacker can exploit this vulnerability by uploading a file containing malicious JavaScript code and sharing the file URL or chat session with victims, causing the script to execute in the victims' browsers and potentially leading to session hijacking, data theft, or phishing attacks.
Overview
Open WebUI Vulnerable to Cross-Site Scripting (XSS) via Chat File Upload
Advisory
Affected versions of the open-webui package are vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization in the chat file upload functionality. The file upload feature fails to properly validate or sanitize file content before storage and subsequent display, allowing malicious JavaScript to be embedded within uploaded files. An attacker can exploit this vulnerability by uploading a file containing malicious JavaScript code and sharing the file URL or chat session with victims, causing the script to execute in the victims' browsers and potentially leading to session hijacking, data theft, or phishing attacks.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20250320-46230/CVE-2024-7044
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7044
- https://github.com/advisories/GHSA-j274-m559-cj4j
- https://nvd.nist.gov/vuln/detail/CVE-2024-7044
- https://huntr.com/bounties/c25a885c-d6e2-4169-9ee8-4d33bcbb5ef6
- https://github.com/advisories/GHSA-j274-m559-cj4j
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more