Open WebUI Server-Side Request Forgery Vulnerability via HTTP Redirects

A server-side request forgery (SSRF) vulnerability has been identified in Open WebUI versions prior to 0.9.5. The issue arises in the validate_url() function, which only checks the initial URL against a private-IP block list. This oversight allows authenticated users to submit public URLs that redirect to internal addresses. The downstream HTTP clients follow these redirects without re-validation, enabling access to internal response bodies through various API endpoints. This vulnerability could expose sensitive information from internal services or metadata.

Impact

Exploitation of this vulnerability allows any authenticated user to access internal response data from HTTP services reachable by the Open WebUI server process. This includes cloud metadata services, localhost-bound application APIs, internal databases, monitoring services, Kubernetes services, and VPN-bridged on-premise networks.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/api/v1/retrieval/process/web' endpoint with a URL that redirects to an internal address. The response will contain the internal payload from the redirected URL. This vulnerability can also be reproduced through the '/api/chat/completions' endpoint by including an 'image_url' part that points to a redirector URL leading to an internal address.

Remediation

Users can update to Open WebUI version 0.9.5 or later, where this vulnerability has been fixed.