CVE-2024-12534
📋 TL;DR
This vulnerability in open-webui/open-webui allows unauthenticated attackers to submit extremely large payloads in email and password fields during sign-in, causing resource exhaustion and Denial of Service. Any system running the vulnerable version is affected, potentially rendering the web UI unavailable to legitimate users.
💻 Affected Systems
- open-webui/open-webui
📦 What is this software?
Open Webui by Openwebui
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage with server resource exhaustion (CPU, memory, disk space) leading to extended downtime and potential data corruption.
Likely Case
Temporary service unavailability during attack, degraded performance for legitimate users, and potential system instability.
If Mitigated
Minimal impact with proper input validation and resource limits in place.
🎯 Exploit Status
Exploitation is straightforward - simply sending large payloads to the sign-in endpoint. No special tools or techniques required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.3.33 or later
Vendor Advisory: https://huntr.com/bounties/c7c0a4e6-acd3-49b4-8684-2c2c27014b76
Restart Required: No
Instructions:
1. Update open-webui to version v0.3.33 or later. 2. Verify the update was successful. 3. No restart required as this is a web application fix.
🔧 Temporary Workarounds
Implement Web Application Firewall (WAF) rules
allConfigure WAF to block or limit large payloads to the sign-in endpoint
Rate limiting on sign-in endpoint
allImplement request rate limiting to prevent rapid exploitation attempts
🧯 If You Can't Patch
- Implement reverse proxy with request size limits and input validation
- Monitor server resources closely and set up alerts for unusual resource consumption
🔍 How to Verify
Check if Vulnerable:
Check if running open-webui version v0.3.32. Attempt to send large payloads (>10MB) to the sign-in endpoint and monitor resource usage.Check Version:
Check package.json or application configuration for version information, or use: docker inspect open-webui | grep versionVerify Fix Applied:
After updating, attempt to send large payloads to sign-in endpoint - requests should be rejected or truncated. Verify version is v0.3.33 or later.📡 Detection & Monitoring
Log Indicators:
- Unusually large request sizes to /api/auth/signin endpoint
- Multiple failed login attempts with large payloads
- High resource usage alerts (CPU, memory, disk)
Network Indicators:
- Large HTTP POST requests to sign-in endpoint
- Multiple connection attempts from single IP to sign-in
SIEM Query:
source="web_server" AND (uri_path="/api/auth/signin" AND request_size>10000000) OR (error_message="request entity too large")