Open WebUI Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Open WebUI, a self-hosted AI platform, in versions through 0.8.12. This vulnerability allows any authenticated user with model creation permissions to execute arbitrary JavaScript in the browsers of other users, including admins, who view the affected model in the chat interface. The issue arises because model descriptions are stored without proper sanitization and are later processed in a way that allows JavaScript payloads to be executed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the model, potentially leading to unauthorized actions or data exposure.

Reproduction

To reproduce this vulnerability, an authenticated user with model creation permissions can upload a model with a description containing a markdown link payload that includes a 'javascript:' URI. Once the model is saved, any user who clicks the link in the chat UI will trigger the JavaScript execution. This can be demonstrated by creating a model that, for example, alerts the user or steals the user's access token from local storage.

Remediation

Users are advised to update to Open WebUI version 0.9.0 or later, where this vulnerability has been fixed. In version 0.9.0, the issue was addressed by wrapping the output of 'marked.parse()' in 'DOMPurify.sanitize()', which removes 'javascript:' URIs and other harmful HTML before it is rendered.