CVE-2024-7983 – This vulnerability in open-webui version 0.3.8 ... (How to Fix)

Q: What is the severity of CVE-2024-7983?

CVE-2024-7983 has a CVSS score of 7.5 (HIGH). This vulnerability in open-webui version 0.3.8 exposes an unauthenticated markdown-to-HTML conversion endpoint. Attackers can send specially crafted markdown payloads that cause excessive server processing time, leading to denial of service where the server becomes unresponsive to legitimate requests. Anyone running open-webui 0.3.8 with default configuration is affected.

📋 TL;DR

This vulnerability in open-webui version 0.3.8 exposes an unauthenticated markdown-to-HTML conversion endpoint. Attackers can send specially crafted markdown payloads that cause excessive server processing time, leading to denial of service where the server becomes unresponsive to legitimate requests. Anyone running open-webui 0.3.8 with default configuration is affected.

💻 Affected Systems

Products:

open-webui

Versions: 0.3.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with the markdown conversion endpoint accessible. Default installation is vulnerable.

📦 What is this software?

Open Webui by Openwebui

View all CVEs affecting Open Webui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability for all users until the malicious conversion completes or the server is restarted, potentially causing extended downtime.

🟠

Likely Case

Temporary service degradation or intermittent unresponsiveness affecting user experience and system reliability.

🟢

If Mitigated

Minimal impact with proper rate limiting, authentication, or input validation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a malicious markdown payload to the vulnerable endpoint without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.3.9 or later

Vendor Advisory: https://huntr.com/bounties/f8156ca5-1328-480f-a72b-8d3dfdad87dc

Restart Required: No

Instructions:

1. Update open-webui to version 0.3.9 or later using your package manager or installation method. 2. Verify the update completed successfully. 3. No restart required as this is a web application.

🔧 Temporary Workarounds

Implement authentication

all

Add authentication requirements to the markdown conversion endpoint

Rate limiting

all

Implement rate limiting on the vulnerable endpoint to prevent abuse

🧯 If You Can't Patch

Implement network-level access controls to restrict access to the vulnerable endpoint
Deploy a web application firewall with DoS protection rules

🔍 How to Verify

Check if Vulnerable:

Check if running open-webui version 0.3.8 and if the markdown conversion endpoint is accessible without authentication

Check Version:

Check package.json or installation documentation for version information

Verify Fix Applied:

Verify open-webui version is 0.3.9 or later and test that the markdown endpoint now requires authentication or has proper input validation

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for markdown conversion requests
Multiple rapid requests to the markdown endpoint
Server error logs indicating timeout or resource exhaustion

Network Indicators:

High volume of requests to /api/markdown or similar endpoints
Unusually large payloads sent to conversion endpoints

SIEM Query:

source="webui" AND (uri="/api/markdown" OR uri="/convert") AND response_time>5000

📊 Metadata

CVE ID: CVE-2024-7983

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.16% exploit probability (37.1th percentile)

Published: March 20, 2025

Last Updated: October 15, 2025

🔗 References

https://huntr.com/bounties/f8156ca5-1328-480f-a72b-8d3dfdad87dc Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7983, you might also want to check these: