CVE-2025-64496
published 2025-11-08CVE-2025-64496: Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection…
PriorityP260high8CVSS 3.1
AVNACLPRLUIRSUCHIHAH
EPSS
7.77%
93.9th percentile
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker's malicious model URL, achievable through social engineering of the admin and subsequent users. This issue is fixed in version 0.6.35.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-webui | open-webui | < 0.6.35 | 0.6.35 |
| open-webui | open-webui | >= 0 < 0.9.5 | 0.9.5 |
| open-webui | open-webui | >= 0 < 0.6.35 | 0.6.35 |
| open-webui | open-webui | >= 0 < 0.6.35 | 0.6.35 |
| openwebui | open_webui | < 0.6.35 | 0.6.35 |
Detection & IOCsextracted from sources · hover to see the quote
- →Malicious external model server sends Server-Sent Event (SSE) 'execute' events containing arbitrary JavaScript to victim browsers via the Direct Connections feature of Open WebUI ↗
- →Attack chain leads to authentication token theft and account takeover; when chained with the Functions API, enables remote code execution on the backend server ↗
- →Attack vector requires victim to have Direct Connections enabled and a malicious model URL added; monitor for unexpected external model server URLs configured in Open WebUI Direct Connections settings ↗
- ·Direct Connections feature is disabled by default; the attack surface only exists when an admin explicitly enables it and adds an attacker-controlled model URL ↗
- ·Affected versions are 0.6.224 and prior (through 0.6.34); the fix is present in version 0.6.35 ↗
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
ghsa5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Open WebUI vulnerable to stored XSS via OAuth picture claim stored as SVG data URI in profile_image_url
ghsa·2026-05-14·CVSS 5.4
CVE-2025-64496 [MEDIUM] CWE-20 Open WebUI vulnerable to stored XSS via OAuth picture claim stored as SVG data URI in profile_image_url
Open WebUI vulnerable to stored XSS via OAuth picture claim stored as SVG data URI in profile_image_url
# Summary
When a user signs in via OAuth, Open WebUI fetches the `picture` claim URL, infers a MIME type from the URL extension via `mimetypes.guess_type`, and stores `data:;base64,...` as the user's profile image. The OAuth code path does not go through the `validate_profile_image_url` Pydantic validator that normally restricts profile images to PNG/JPEG/GIF/WebP. A `.svg` URL in the `picture` claim lands in the database as `data:image/svg+xml;base64,...`.
The profile image endpoint `GET /api/v1/users/{id}/profile/image` returns the stored data URI with the attacker-controlled MIME type as `Content-Type` and `Content-Disposition: inline`. Security headers (CSP, `X-Content-Type-Option
GHSA
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
ghsa·2025-11-07
CVE-2025-64496 [HIGH] CWE-501 Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
### Summary
Open WebUI v0.6.33 and below contains a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) `execute` events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker's malicious model URL, achievable through social engineering of the admin and subsequent users.
### Details
ROOT CAUSE ANALYSIS:
Open WebUI's Direct Connections feature allow
OSV
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
osv·2025-11-07
CVE-2025-64496 [HIGH] Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
### Summary
Open WebUI v0.6.33 and below contains a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) `execute` events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker's malicious model URL, achievable through social engineering of the admin and subsequent users.
### Details
ROOT CAUSE ANALYSIS:
Open WebUI's Direct Connections feature allow
No detection rules found.
No public exploits indexed.
2025-11-08
Published