CVE-2025-64496 Overview
CVE-2025-64496 is a code injection vulnerability affecting Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. The vulnerability exists in the Direct Connections feature and allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. Successful exploitation can lead to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server.
Critical Impact
This vulnerability enables a multi-stage attack chain that escalates from client-side JavaScript injection to full backend server compromise through authentication token theft and abuse of the Functions API.
Affected Products
- Open WebUI versions 0.6.224 and prior
- openwebui:open_webui (all versions before 0.6.35)
Discovery Timeline
- 2025-11-08 - CVE-2025-64496 published to NVD
- 2025-11-26 - Last updated in NVD database
Technical Details for CVE-2025-64496
Vulnerability Analysis
This vulnerability is classified as CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code), commonly known as code injection. The flaw resides in the Direct Connections feature of Open WebUI, which allows users to connect to external model servers. When a victim connects to a malicious model server, the attacker can leverage Server-Sent Events (SSE) to inject and execute arbitrary JavaScript code within the victim's browser context.
The attack chain is particularly dangerous because it enables a progression from initial client-side code execution to full backend server compromise. Once an attacker achieves JavaScript execution in the victim's browser, they can steal authentication tokens, effectively taking over the victim's account. With elevated privileges, the attacker can then leverage the Functions API to achieve remote code execution on the Open WebUI backend server.
Root Cause
The root cause of this vulnerability is insufficient input validation and sanitization of SSE execute events received from external model servers. The Direct Connections feature fails to properly neutralize or validate the content of SSE messages before processing them, allowing malicious JavaScript payloads embedded in these events to be executed in the browser context.
Attack Vector
The attack requires the victim to enable Direct Connections (which is disabled by default) and add the attacker's malicious model URL to their Open WebUI instance. This is typically achievable through social engineering tactics targeting administrators and subsequent users. Once a malicious model server URL is configured:
- The victim's browser establishes an SSE connection to the attacker-controlled server
- The malicious server sends specially crafted SSE execute events containing JavaScript payloads
- The vulnerable Open WebUI client processes these events without proper sanitization
- Arbitrary JavaScript executes in the victim's browser context
- The attacker steals authentication tokens and gains account access
- Using compromised credentials, the attacker leverages the Functions API for backend RCE
The vulnerability requires network access and user interaction, as the victim must be convinced to add the malicious model URL. However, once this prerequisite is met, the exploitation is straightforward with low attack complexity.
Detection Methods for CVE-2025-64496
Indicators of Compromise
- Unexpected external model server URLs configured in Direct Connections settings
- Unusual outbound SSE connections to unfamiliar or suspicious domains
- Authentication token access from unexpected IP addresses or user agents
- Unauthorized modifications to Functions API configurations
- Signs of data exfiltration or account behavior anomalies
Detection Strategies
- Monitor network traffic for SSE connections to external model servers, especially newly added or untrusted domains
- Implement logging for all Direct Connections configuration changes and additions of new model URLs
- Enable browser-side Content Security Policy (CSP) monitoring to detect unauthorized script execution attempts
- Review Functions API access logs for unusual or unauthorized activity patterns
Monitoring Recommendations
- Deploy network monitoring to track all outbound connections from Open WebUI instances
- Implement alerting for administrative configuration changes, particularly Direct Connections modifications
- Monitor authentication token usage patterns for anomalies indicating potential theft
- Establish baseline behavior for Functions API usage and alert on deviations
How to Mitigate CVE-2025-64496
Immediate Actions Required
- Upgrade Open WebUI to version 0.6.35 or later immediately
- Audit all configured Direct Connections and remove any untrusted or suspicious model server URLs
- Review user accounts for signs of compromise, especially admin accounts
- Disable the Direct Connections feature if not strictly required for operations
- Rotate authentication tokens for all users as a precautionary measure
Patch Information
The vulnerability has been fixed in Open WebUI version 0.6.35. The fix is available via the official GitHub commit. Organizations should upgrade to the patched version as soon as possible. For complete technical details about the vulnerability, refer to the GitHub Security Advisory GHSA-cm35-v4vp-5xvx.
Workarounds
- Keep Direct Connections disabled (the default setting) until the patch can be applied
- Implement strict allowlisting for external model server URLs if Direct Connections must be enabled
- Deploy network-level controls to restrict outbound connections from Open WebUI to only trusted endpoints
- Educate administrators and users about social engineering risks related to adding external model URLs
- Implement additional authentication controls and monitoring for the Functions API
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
