CVE-2024-12537
Published: 20 March 2025
Description
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Security Summary
CVE-2024-12537 is a denial-of-service vulnerability in version 0.3.32 of open-webui/open-webui, stemming from the absence of authentication on the `api/v1/utils/code/format` endpoint (CWE-770: Allocation of Resources Without Limits or Throttling). This allows unauthenticated attackers to send POST requests containing an excessively high volume of content, exhausting server resources and rendering it completely unresponsive. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting high availability impact with no confidentiality or integrity effects.
Any unauthenticated attacker with network access can exploit the vulnerability by crafting and sending a POST request with oversized content to the exposed endpoint. Successful exploitation leads to severe performance degradation, server unresponsiveness, or full service interruptions, denying access to legitimate users without requiring privileges, user interaction, or special conditions.
Details on mitigation, including any patches or workarounds, are available in the primary advisory published on Huntr at https://huntr.com/bounties/edabd06c-acc0-428c-a481-271f333755bc. The vulnerability was publicly disclosed on 2025-03-20.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables unauthenticated resource exhaustion via oversized POST requests to a public endpoint, directly mapping to application exhaustion flood for denial of service.