CVE-2024-8053 – This vulnerability in open-webui v0.3.10 allows... (How to Fix)

Q: What is the severity of CVE-2024-8053?

CVE-2024-8053 has a CVSS score of 8.2 (HIGH). This vulnerability in open-webui v0.3.10 allows unauthenticated attackers to access the PDF generation endpoint, potentially causing denial of service through resource exhaustion or unauthorized PDF generation. Anyone running the affected version of open-webui is vulnerable.

📋 TL;DR

This vulnerability in open-webui v0.3.10 allows unauthenticated attackers to access the PDF generation endpoint, potentially causing denial of service through resource exhaustion or unauthorized PDF generation. Anyone running the affected version of open-webui is vulnerable.

💻 Affected Systems

Products:

open-webui/open-webui

Versions: v0.3.10

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments with the PDF generation endpoint enabled and accessible.

📦 What is this software?

Open Webui by Openwebui

View all CVEs affecting Open Webui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server resource exhaustion leading to prolonged denial of service, potential operational disruption, and financial costs from service misuse.

🟠

Likely Case

Server performance degradation from resource exhaustion attacks and unauthorized PDF generation consuming system resources.

🟢

If Mitigated

Minimal impact with proper authentication and rate limiting in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP POST requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.3.11 or later

Vendor Advisory: https://huntr.com/bounties/ebe8c1fa-113b-4df9-be03-a406b9adb9f4

Restart Required: Yes

Instructions:

1. Update open-webui to v0.3.11 or later. 2. Restart the open-webui service. 3. Verify the fix by checking the version and testing endpoint access.

🔧 Temporary Workarounds

Disable PDF endpoint

all

Disable the vulnerable /api/v1/utils/pdf endpoint if not required.

Modify configuration to disable PDF generation feature

Implement authentication middleware

all

Add authentication requirements to the PDF endpoint.

Configure web server or application to require authentication for /api/v1/utils/pdf

🧯 If You Can't Patch

Implement network-level access controls to restrict access to the PDF endpoint
Deploy rate limiting and request size limits for the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check if open-webui version is v0.3.10 and test if /api/v1/utils/pdf endpoint accepts unauthenticated POST requests.

Check Version:

Check open-webui version in application interface or configuration files.

Verify Fix Applied:

Verify version is v0.3.11+ and test that /api/v1/utils/pdf endpoint requires authentication.

📡 Detection & Monitoring

Log Indicators:

Multiple large POST requests to /api/v1/utils/pdf
Unauthenticated access to PDF endpoint
High resource usage from PDF generation

Network Indicators:

Unusual volume of POST requests to PDF endpoint
Large payloads sent to /api/v1/utils/pdf

SIEM Query:

source="open-webui" AND (uri_path="/api/v1/utils/pdf" AND http_method="POST")

📊 Metadata

CVE ID: CVE-2024-8053

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CWE: CWE-306

EPSS Score: 0.78% exploit probability (73.3th percentile)

Published: March 20, 2025

Last Updated: March 27, 2025

🔗 References

https://huntr.com/bounties/ebe8c1fa-113b-4df9-be03-a406b9adb9f4 Exploit,Third Party Advisory
https://huntr.com/bounties/ebe8c1fa-113b-4df9-be03-a406b9adb9f4 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8053, you might also want to check these: