CVE-2024-12537

Name of the Vulnerable Software and Affected Versions open-webui/open-webui version 0.3.32

Description The absence of authentication mechanisms in open-webui/open-webui allows any unauthenticated attacker to access the api/v1/utils/code/format endpoint. If a malicious actor sends a POST request with an excessively high volume of content, the server could become completely unresponsive, leading to severe performance issues and service interruptions for legitimate users.

Recommendations For version 0.3.32, consider disabling access to the api/v1/utils/code/format endpoint until a patch is available. Restricting the volume of content allowed in POST requests to this endpoint can also help mitigate the issue. As a temporary workaround, limiting the resources allocated to handling requests to this endpoint can prevent the server from becoming completely unresponsive.