CVE-2024-12537

Source
https://cve.org/CVERecord?id=CVE-2024-12537
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-12537.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-12537
Aliases
Published
2025-03-20T10:09:10.774Z
Modified
2026-07-08T08:05:26.628734263Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Unauthenticated Denial of Service in open-webui/open-webui
Details

In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the api/v1/utils/code/format endpoint. If a malicious actor sends a POST request with an excessively high volume of content, the server could become completely unresponsive. This could lead to severe performance issues, causing the server to become unresponsive or experience significant degradation, ultimately resulting in service interruptions for legitimate users.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/12xxx/CVE-2024-12537.json",
    "cna_assigner": "@huntr_ai",
    "cwe_ids": [
        "CWE-770"
    ]
}
References

Affected packages

Git / github.com/open-webui/open-webui

Affected ranges

Type
GIT
Repo
https://github.com/open-webui/open-webui
Events
Database specific
{
    "source": "CPE_STRING",
    "cpe": "cpe:2.3:a:openwebui:open_webui:0.3.32:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0.3.32"
        },
        {
            "last_affected": "0.3.32"
        }
    ]
}

Affected versions

0.*
0.3.32
v0.*
v0.3.32

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-12537.json"