CVE-2024-12537

HIGH

open-webui 0.3.32 - Unauthenticated Denial of Service via Code Format Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-12537. PoCs published by fineman999.

AI-analyzed exploit summary This repository contains a nuclei template and verification script to detect CVE-2024-12537, an unauthenticated denial-of-service vulnerability in Open WebUI's code formatting endpoint. It includes a Docker lab for testing but does not execute a DoS payload.

Description

In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/utils/code/format` endpoint. If a malicious actor sends a POST request with an excessively high volume of content, the server could become completely unresponsive. This could lead to severe performance issues, causing the server to become unresponsive or experience significant degradation, ultimately resulting in service interruptions for legitimate users.

Exploits (1)

nomisec SCANNER
by fineman999 · poc
https://github.com/fineman999/POC_CVE-2024-12537

This repository contains a nuclei template and verification script to detect CVE-2024-12537, an unauthenticated denial-of-service vulnerability in Open WebUI's code formatting endpoint. It includes a Docker lab for testing but does not execute a DoS payload.

Classification
Scanner 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Open WebUI < 0.5.14
No auth needed
Prerequisites: nuclei installed (optional) · Docker for lab environment
devstral-2 · analyzed May 23, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 7.5
EPSS 0.0267
EPSS Percentile 86.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-770
Status published
Products (3)
npm/open-webui 0npm
openwebui/open_webui 0.3.32
pypi/open-webui 0PyPI
Published Mar 20, 2025
Tracked Since Feb 18, 2026