Open-WebUI Arbitrary File Write Vulnerability Leading to Remote Code Execution on Windows

A vulnerability allowing arbitrary file writes has been identified in Open-WebUI version 0.3.8, specifically within the download_model endpoint. When the application is deployed on Windows, it mishandles file paths, enabling attackers to manipulate the file destination and write files to arbitrary locations on the server. This flaw could overwrite critical system or application files, causing a denial-of-service, or potentially leading to remote code execution (RCE). Such RCE would allow an attacker to execute malicious code with the privileges of the user running the application, potentially compromising the entire system.

Impact

Exploitation of this vulnerability could overwrite important system or application files, disrupt services, and in severe cases, allow for remote code execution. This RCE could be used to execute malicious code with the same privileges as the user running the application, potentially leading to a full system compromise, data exfiltration, and lateral movement within the network.

Reproduction

To reproduce this vulnerability, deploy Open-WebUI on a Windows system. Once deployed, create a malicious repository on Hugging Face and upload a model that exploits the file path handling vulnerability. After obtaining an authorization token, send a POST request to the download_model endpoint, including the URL of the malicious model and the desired file path for the write operation. The server will then write the file to the specified location, exploiting the path traversal vulnerability.