CVE-2025-1758
published 2025-03-19CVE-2025-1758: Improper Input Validation vulnerability in Progress LoadMaster allows : Buffer OverflowThis issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All versions…
PriorityP353high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
EPSS
4.79%
90.8th percentile
Improper Input Validation vulnerability in Progress LoadMaster allows : Buffer OverflowThis issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All versions * Multi-Tenancy: 7.1.35.4 and above
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-webui | open-webui | >= 0 < 0.6.37 | 0.6.37 |
| progress | loadmaster | >= 7.1.54.4 < 7.1.35.14 | 7.1.35.14 |
| progress | loadmaster | >= 7.2.40.0 < 7.2.61.1 | 7.2.61.1 |
| progress | multi-tenant_loadmaster | >= 7.1.35.4 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web
ghsa·2025-12-04
CVE-2025-65958 [HIGH] CWE-918 Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web
Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web
### Summary
A Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to access cloud metadata endpoints (AWS/GCP/Azure), scan internal networks, access internal services behind firewalls, and exfiltrate sensitive information. No special permissions beyond basic authentication are required.
### Details
The vulnerability exists in the /api/v1/retrieval/process/web endpoint located in backend/open_webui/routers/retrieval.py at lines 1758-1767.
Vulnerable code:
@router.post("/process/web")
def process_web(
request: Request, form_data: ProcessUrlForm,
GHSA
GHSA-xgrc-mq5c-7xjc: Improper Input Validation vulnerability in Progress LoadMaster allows : Buffer OverflowThis issue affects:
* LoadMaster: 7
ghsa_unreviewed·2025-03-19
CVE-2025-1758 [MEDIUM] CWE-121 GHSA-xgrc-mq5c-7xjc: Improper Input Validation vulnerability in Progress LoadMaster allows : Buffer OverflowThis issue affects:
* LoadMaster: 7
Improper Input Validation vulnerability in Progress LoadMaster allows : Buffer OverflowThis issue affects:
* LoadMaster: 7.2.40.0 and above
* ECS: All versions
* Multi-Tenancy: 7.1.35.4 and above
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-19
Published