Open WebUI Path Traversal Vulnerability Leading to Arbitrary File Upload and Deletion

A path traversal vulnerability allowing arbitrary file upload and deletion has been identified in Open WebUI versions prior to 0.6.10. The issue arises because uploaded audio files are sent to a static directory without proper validation or sanitization of the file names. This flaw enables users to traverse out of the designated upload directory and overwrite or delete files anywhere on the server's filesystem, depending on the permissions of the user running the web server.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads to locations outside the intended upload directory, with the potential to overwrite existing files or delete files, depending on the uploaded file's path.

Reproduction

To reproduce this vulnerability, upload a file through the Open WebUI HTTP interface using a valid user session. The file name can be crafted to include dot-segments that exploit the path traversal vulnerability, allowing the file to be uploaded to an arbitrary location on the server. After the file is uploaded, it will be deleted by the application, demonstrating the vulnerability's impact.

Remediation

Users are advised to update to Open WebUI version 0.6.10 or later, where this vulnerability has been fixed.