CVE-2024-9840

Name of the Vulnerable Software and Affected Versions open-webui/open-webui version 0.3.21

Description A Denial of Service (DoS) issue exists, affecting multiple endpoints, including "/ollama/models/upload", "/audio/api/v1/transcriptions", and "/rag/api/v1/doc". The application processes multipart boundaries without authentication, leading to resource exhaustion. By appending additional characters to the multipart boundary, an attacker can cause the server to parse each byte of the boundary, ultimately leading to service unavailability. This issue can be exploited remotely, resulting in high CPU and memory usage, and rendering the service inaccessible to legitimate users.

Recommendations For open-webui/open-webui version 0.3.21, consider implementing authentication for multipart boundary processing to prevent unauthorized access and resource exhaustion. As a temporary workaround, restrict access to the affected endpoints to minimize the risk of exploitation.