CVE-2024-7044 – A stored XSS vulnerability in open-webui versio... (How to Fix)

Q: What is the severity of CVE-2024-7044?

CVE-2024-7044 has a CVSS score of 8.9 (HIGH). A stored XSS vulnerability in open-webui version 0.3.8 allows attackers to upload malicious files containing JavaScript. When victims access these files through chat URLs, the script executes in their browsers, potentially compromising user sessions and data. This affects all users of vulnerable open-webui instances.

📋 TL;DR

A stored XSS vulnerability in open-webui version 0.3.8 allows attackers to upload malicious files containing JavaScript. When victims access these files through chat URLs, the script executes in their browsers, potentially compromising user sessions and data. This affects all users of vulnerable open-webui instances.

💻 Affected Systems

Products:

open-webui/open-webui

Versions: Version 0.3.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default chat file upload functionality; no special configuration required.

📦 What is this software?

Open Webui by Openwebui

View all CVEs affecting Open Webui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, credential theft, malware deployment across user systems, and persistent phishing attacks from compromised accounts.

🟠

Likely Case

Session hijacking leading to unauthorized access to chat histories and user data, with potential for credential harvesting.

🟢

If Mitigated

Limited impact with proper input validation and content security policies preventing script execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to upload malicious file and victim to access it; stored nature makes exploitation persistent.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 0.3.9 or later

Vendor Advisory: https://huntr.com/bounties/c25a885c-d6e2-4169-9ee8-4d33bcbb5ef6

Restart Required: No

Instructions:

1. Update open-webui to version 0.3.9 or later. 2. Verify the update completed successfully. 3. Test file upload functionality to ensure XSS protection is working.

🔧 Temporary Workarounds

Disable file upload functionality

all

Temporarily disable chat file uploads until patching is possible.

Modify configuration to disable file uploads in chat interface

Implement Content Security Policy

all

Add CSP headers to restrict script execution from untrusted sources.

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server headers

🧯 If You Can't Patch

Implement strict input validation and sanitization for all file uploads
Deploy web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check if running open-webui version 0.3.8; test file upload with XSS payload to see if script executes.

Check Version:

Check package.json or run 'npm list open-webui' to verify version

Verify Fix Applied:

After updating, attempt to upload file with XSS payload and verify script does not execute.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload patterns
Large number of file uploads from single user
File uploads with suspicious extensions

Network Indicators:

HTTP requests to upload endpoints with script-like content
Unusual file downloads from chat URLs

SIEM Query:

source=web_logs AND (uri_path="/upload" OR uri_path="/chat/file") AND (content_type="text/html" OR file_extension IN ("html", "htm", "svg"))

📊 Metadata

CVE ID: CVE-2024-7044

CVSS v3 Score: 8.9 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

CWE: CWE-79

EPSS Score: 0.26% exploit probability (49.2th percentile)

Published: March 20, 2025

Last Updated: July 29, 2025

🔗 References

https://huntr.com/bounties/c25a885c-d6e2-4169-9ee8-4d33bcbb5ef6 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7044, you might also want to check these: