CVE-2024-7959
Published: 20 March 2025
Description
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Security Summary
CVE-2024-7959 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, in the `/openai/models` endpoint of open-webui/open-webui version 0.3.8. The flaw enables an attacker to replace the OpenAI URL with any arbitrary URL without validation checks, causing the server to send a request to the attacker-specified URL and return its output. This issue carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to its confidentiality impact and changed scope.
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction. By manipulating the endpoint, they can force the server to interact with internal services, potentially exposing sensitive data or instance secrets that enable command execution.
Mitigation guidance is available in the Huntr advisory at https://huntr.com/bounties/3c8bea0a-d678-4d67-bb9c-2b5b610a2193.
Details
- CWE(s)
Affected Products
AI Security Analysis
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Open-WebUI is a self-hosted web interface for interacting with LLMs and OpenAI-compatible APIs, functioning as an enterprise-grade AI assistant platform. The vulnerability is in the `/openai/models` endpoint, directly tied to AI model management.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SSRF in public-facing /openai/models endpoint enables exploitation of public-facing application (T1190) and access to internal instance secrets via cloud metadata API (T1552.005).