Coordinated Disclosure Timeline

Summary

Open-webui is vulnerable to authenticated blind server-side request forgery.

Project

open-webui

Tested Version

v0.1.111

Details

Blind SSRF in backend/apps/web/routers/utils.py (GHSL-2024-033)

The download endpoint accepts user input in the url GET parameter, which is later used in the download_file_stream function to send a GET request, which leads to a blind server-side request forgery.

async def download_file_stream(url, file_path, file_name, chunk_size=1024 * 1024):
    done = False

    if os.path.exists(file_path):
        current_size = os.path.getsize(file_path)
    else:
        current_size = 0

    headers = {"Range": f"bytes={current_size}-"} if current_size > 0 else {}

    timeout = aiohttp.ClientTimeout(total=600)  # Set the timeout

    async with aiohttp.ClientSession(timeout=timeout) as session:
        async with session.get(url, headers=headers) as response:
            total_size = int(response.headers.get("content-length", 0)) + current_size

Impact

This issue allows for sending requests on behalf of open-webui server and can be leveraged to probe for other vulnerabilities on the server itself or on other back-end systems on the internal network, that the open-webui server can reach.

CVE

Credit

This issue was discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska). This vulnerability was found with help of CodeQL.

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-033 in any communication regarding this issue.