open-webui/open-webui Server-Side Request Forgery Vulnerability in Models Endpoint

A Server-Side Request Forgery (SSRF) vulnerability has been identified in open-webui/open-webui version 0.3.8. The issue arises in the '/openai/models' endpoint, where users can manipulate the OpenAI URL without any validation. This flaw enables attackers to direct requests to arbitrary URLs, potentially accessing internal services and extracting sensitive information, such as instance secrets from cloud providers like AWS.

Impact

Exploitation of this vulnerability allows attackers to access internal service content, with a particular risk of retrieving instance secrets from AWS, which could lead to command execution on the affected instance.

Reproduction

To reproduce this vulnerability, first set up a local server that can respond to requests. This can be done using a simple Flask application that returns a JSON response. Once the server is running, send a POST request to the '/openai/urls/update' endpoint, including the URL of the local server in the request body. After this request is processed, send a GET request to the '/openai/models/0' endpoint. The response will include the output from the local server, demonstrating the SSRF vulnerability by successfully retrieving data from an internal service.