VDB
EN
MEDIUM 4.3

GHSA-jgx9-jr5x-mvpv

Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality

상세

### Summary There is a blind server side request forgery in the functionality that allows editing an image via a prompt. The affected function will perform a GET request on the URL provided by the user. There is no restriction on the domain of the provided URL allowing the local address space to be interacted with. Since the SSRF is blind (the response cannot be read) impact is port scanning of the local network because it can be confirmed if the port is open based on if the GET request failed.

### Details The vulnerability occurs here: https://github.com/open-webui/open-webui/blob/2b26355002064228e9b671339f8f3fb9d1fafa73/backend/open_webui/routers/images.py#L850-L916 Line 911 shows the user provided URL passed to the function `load_url_image`. Within this function on line 883 HTTP/HTTPs URLs are trusted blindly and called asynchronously with `requests.get`.

### PoC The vulnerability can be reproduced with the following curl command: ``` curl -X POST http://localhost:3000/api/v1/images/edit \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{"form_data":{ "image": "<url>", "prompt": "poc"} }' ```

### Impact Response differentials can be used to port scan the local network: <img width="3016" height="736" alt="image" src="https://github.com/user-attachments/assets/93b4df52-b23c-4ed7-a5fa-9cbedb30091c" /> This can be automated to iterate through the entire port range to determine open ports. If the service running on an open port can be inferred the user may be able to interact with it in a meaningful way if the service offers any state changing GET request endpoints.

### Remediation Restrict provided URLs from local address space.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / open-webui
최초 영향 버전: 0

No fixed version published yet for open-webui (pip). Pin to a known-safe version or switch to an alternative.

참고