Plattform
nodejs
Komponente
open-webui/open-webui
Behoben in
0.3.9
CVE-2024-8017 represents a critical Cross-Site Scripting (XSS) vulnerability affecting open-webui versions up to 0.3.8. This flaw resides in the tooltip HTML construction function, allowing attackers to inject malicious scripts. Successful exploitation can lead to unauthorized access, data theft, and privilege escalation, particularly impacting users with administrative roles. The vulnerability was publicly disclosed on 2025-03-20, and users are advised to upgrade to a patched version.
The impact of CVE-2024-8017 is significant due to the potential for complete account compromise. An attacker exploiting this XSS vulnerability can execute arbitrary JavaScript code within the context of a victim's browser session. This allows them to steal sensitive data such as chat history, delete existing conversations, and, crucially, escalate their own privileges to an administrator account if the victim holds such permissions. This privilege escalation represents a severe security risk, enabling attackers to gain full control over the open-webui instance and potentially compromise the entire system it serves. The ability to steal chat history also poses a privacy risk, exposing confidential communications.
CVE-2024-8017 was publicly disclosed on 2025-03-20. Currently, there is no indication of this vulnerability being actively exploited in the wild, nor are there any known public proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. The CVSS score of 9.0 (CRITICAL) indicates a high potential for exploitation if a suitable exploit is developed and deployed.
Organizations and individuals using open-webui for chat applications, particularly those with administrator accounts, are at significant risk. Shared hosting environments where multiple users share the same open-webui instance are especially vulnerable, as an attacker could potentially compromise all users on the server. Users relying on legacy configurations or outdated security practices are also at increased risk.
• nodejs: Monitor application logs for unusual JavaScript execution patterns or errors related to HTML rendering. Use Node.js security linters to identify potential XSS vulnerabilities in the codebase.
npm audit open-webui• generic web: Inspect HTTP response headers for Content-Security-Policy (CSP) directives. A missing or weak CSP can increase the risk of XSS attacks.
curl -I https://your-open-webui-instance.com |
grep -i content-security-policydisclosure
Exploit-Status
EPSS
0.10% (28% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-8017 is to upgrade to a patched version of open-webui. Unfortunately, a specific fixed version is not provided, so users should monitor the open-webui project's release notes for updates. As a temporary workaround, consider implementing strict Content Security Policy (CSP) headers to restrict the execution of inline scripts and external resources. Additionally, input validation and output encoding on the affected tooltip generation function can help prevent malicious code injection. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into a tooltip field and confirming that the script does not execute.
Aktualisieren Sie open-webui auf eine Version > 0.3.8, die die Korrektur für die XSS-Schwachstelle enthält. Konsultieren Sie das Änderungsprotokoll des Projekts oder die Versionshinweise für weitere Details zur Aktualisierung und den implementierten Sicherheitsmaßnahmen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-8017 is a critical Cross-Site Scripting (XSS) vulnerability in open-webui versions up to 0.3.8, allowing attackers to execute malicious scripts and potentially gain admin privileges.
If you are using open-webui version 0.3.8 or earlier, you are potentially affected by this vulnerability. Check your version and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of open-webui. Monitor the project's official channels for updates and apply the patch as soon as it is released. Implement CSP as a temporary mitigation.
Active exploitation is not yet confirmed, but the vulnerability's severity and potential impact suggest it could become a target. Monitor security advisories and implement mitigations proactively.
Check the official open-webui project's website and GitHub repository for security advisories and updates related to CVE-2024-8017.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.