Open WebUI Cross-Site Request Forgery Vulnerability in Image Uploading Functionality

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Open WebUI versions prior to 0.9.3. This vulnerability affects the application's image uploading feature, allowing an attacker to manipulate image URLs to point to malicious endpoints. When an authenticated user views the compromised image, a GET request is sent to the attacker's URL, potentially leading to cookie theft, denial-of-service, or other malicious actions. The vulnerability can be exploited through various image rendering locations within the application, including profile pictures, model images, and shared notes.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, with the potential for cookie theft and denial-of-service actions.

Reproduction

To reproduce this vulnerability, an authenticated user can upload an image by sending a POST request to the image upload endpoint. The request must include a malicious URL that points to an endpoint controlled by the attacker. Once the image is uploaded, the attacker can observe the GET request sent to their URL, along with the victim's cookies and other information.

Remediation

Users are advised to update to Open WebUI version 0.9.3 or later, where this vulnerability has been fixed.