Login Sign Up

CVE-2025-64496

7.3 HIGH
Remote Code Execution Cross-Site Scripting Authentication Bypass

📋 TL;DR

Open WebUI versions 0.6.224 and earlier contain a code injection vulnerability in the Direct Connections feature. Malicious external model servers can execute arbitrary JavaScript in victim browsers, leading to authentication token theft, account takeover, and potentially remote code execution when chained with the Functions API. This affects administrators and users who enable Direct Connections and add untrusted model URLs.

💻 Affected Systems

Products:
  • Open WebUI
Versions: 0.6.224 and prior
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Direct Connections feature must be enabled and a malicious external model URL added for exploitation.

📦 What is this software?

Open Webui by Openwebui

View all CVEs affecting Open Webui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Open WebUI instance leading to backend server remote code execution, data exfiltration, and persistent access.

🟠

Likely Case

Authentication token theft and account takeover of users who interact with malicious model servers.

🟢

If Mitigated

Limited impact if Direct Connections remains disabled and only trusted model servers are used.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires social engineering to convince admin/users to add malicious model URL. Exploitation involves JavaScript injection via Server-Sent Events.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.6.35

Vendor Advisory: https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx

Restart Required: Yes

Instructions:

1. Backup your Open WebUI configuration and data. 2. Update to version 0.6.35 or later using your package manager or by pulling the latest Docker image. 3. Restart the Open WebUI service or container.

🔧 Temporary Workarounds

Disable Direct Connections

all

Keep the Direct Connections feature disabled as it is by default.

Restrict Model URLs

all

Only add trusted, verified model server URLs to Direct Connections.

🧯 If You Can't Patch

  • Disable Direct Connections feature entirely.
  • Implement network segmentation to isolate Open WebUI from untrusted networks.

🔍 How to Verify

Check if Vulnerable:

Check if Open WebUI version is 0.6.224 or earlier and Direct Connections is enabled.

Check Version:

Check the Open WebUI web interface settings or run 'docker inspect open-webui' for container version.

Verify Fix Applied:

Confirm version is 0.6.35 or later and test Direct Connections functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual JavaScript execution events in browser logs
  • Unexpected Server-Sent Event connections to external domains

Network Indicators:

  • Outbound connections to unknown model servers from Open WebUI instance

SIEM Query:

source="open-webui" AND (event="sse_execute" OR destination_ip NOT IN trusted_ips)

📊 Metadata

CVE ID: CVE-2025-64496
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-95
EPSS Score: 0.3% exploit probability (52.4th percentile)
Published: November 8, 2025
Last Updated: November 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64496, you might also want to check these:

CVE-2025-68271 10.0

OpenC3 COSMOS versions 5.0.0 through 6.10.1 contain a critical remote code execution vulnerability i...

Same vulnerability type (CWE-95)
CVE-2025-55727 10.0

CVE-2025-55727 is a critical remote code execution vulnerability in XWiki Remote Macros that allows ...

Same vulnerability type (CWE-95)
CVE-2025-54322 10.0

CVE-2025-54322 is an unauthenticated remote code execution vulnerability in Xspeeder SXZOS that allo...

Same vulnerability type (CWE-95)