CVE-2024-7983
HIGHopen-webui 0.3.8 - Unauthenticated Denial of Service via Markdown to HTML Conversion
Title source: llmDescription
In version 0.3.8 of open-webui, an endpoint for converting markdown to HTML is exposed without authentication. A maliciously crafted markdown payload can cause the server to spend excessive time converting it, leading to a denial of service. The server becomes unresponsive to other requests until the conversion is complete.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/f8156ca5-1328-480f-a72b-8d3dfdad87dc
Scores
CVSS v3
7.5
EPSS
0.0041
EPSS Percentile
61.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (2)
openwebui/open_webui
0.3.8
pypi/open-webui
0PyPI
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026