Platform
nodejs
Component
open-webui/open-webui
Fixed in
0.3.9
A critical Cross-Site Scripting (XSS) vulnerability has been identified in open-webui versions up to and including 0.3.8. This flaw resides within the tooltip HTML construction function, allowing attackers to inject malicious scripts. Successful exploitation can lead to unauthorized actions performed with the victim's privileges, potentially compromising sensitive data and system control. The vulnerability was publicly disclosed on 2025-03-20, and users are urged to upgrade to a patched version.
The impact of CVE-2024-8017 is significant due to the potential for privilege escalation and data theft. An attacker could inject JavaScript code into a tooltip displayed to a user, enabling them to steal chat history, delete existing conversations, and, critically, elevate their own account to administrator status if the victim holds administrative privileges. This could grant the attacker complete control over the open-webui instance. The ability to escalate to admin privileges makes this vulnerability particularly dangerous, as it bypasses standard access controls and allows for widespread compromise. The open-webui's reliance on user-supplied data without proper sanitization creates a direct attack vector for this XSS vulnerability.
CVE-2024-8017 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's severity and potential impact suggest it could become a target for exploitation. The vulnerability was disclosed on 2025-03-20, so active exploitation is possible but not confirmed at this time. The open-webui project should be monitored for security advisories and updates.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-8017 is to upgrade to a patched version of open-webui. Unfortunately, the specific patched version is not provided, so users should monitor the open-webui project's official channels for updates. As a temporary workaround, consider implementing strict Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the sources from which scripts can be loaded. Additionally, input validation and output encoding should be implemented to sanitize user-supplied data before it is rendered in HTML. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into a tooltip and verifying that it is not executed.
Update open-webui to a version later than 0.3.8 that contains the fix for the XSS vulnerability. Refer to the project changelog or release notes for more details about the update and the security measures implemented.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-8017 is a critical Cross-Site Scripting (XSS) vulnerability in open-webui versions up to 0.3.8, allowing attackers to execute malicious scripts and potentially gain admin privileges.
If you are using open-webui version 0.3.8 or earlier, you are potentially affected by this vulnerability. Check your version and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of open-webui. Monitor the project's official channels for updates and apply the patch as soon as it is released. Implement CSP as a temporary mitigation.
Active exploitation is not yet confirmed, but the vulnerability's severity and potential impact suggest it could become a target. Monitor security advisories and implement mitigations proactively.
Check the official open-webui project's website and GitHub repository for security advisories and updates related to CVE-2024-8017.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.