CVE-2024-12534

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-12534

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-12534.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-12534

Aliases

GHSA-g3mx-83mp-3rwc

Published

2025-03-20T10:15:29Z

Modified

2025-09-19T14:50:53.732239Z

Summary

[none]

Details

In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign-in process due to the lack of character length validation on these inputs. This vulnerability can lead to a Denial of Service (DoS) condition when a user submits excessively large strings, exhausting server resources such as CPU, memory, and disk space, and rendering the service unavailable for legitimate users. This makes the server susceptible to resource exhaustion attacks without requiring authentication.

References

https://huntr.com/bounties/c7c0a4e6-acd3-49b4-8684-2c2c27014b76

Affected packages

Git / github.com/open-webui/open-webui

Affected ranges

Type: GIT
Repo: https://github.com/open-webui/open-webui
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

bc29d5d3c3534c7e42eb3bdf5fa5e11e7a287aaa

Affected versions

v0.*

v0.1.102

v0.1.103

v0.1.104

v0.1.105

v0.1.106

v0.1.107

v0.1.108

v0.1.109

v0.1.110

v0.1.111

v0.1.112

v0.1.113

v0.1.114

v0.1.115

v0.1.116

v0.1.117

v0.1.118

v0.1.119

v0.1.120

v0.1.121

v0.1.122

v0.1.123

v0.1.124

v0.1.125

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.3.0

v0.3.1

v0.3.10

v0.3.11

v0.3.12

v0.3.13

v0.3.14

v0.3.15

v0.3.16

v0.3.17

v0.3.18

v0.3.19

v0.3.2

v0.3.20

v0.3.21

v0.3.22

v0.3.23

v0.3.24

v0.3.25

v0.3.26

v0.3.27

v0.3.28

v0.3.29

v0.3.3

v0.3.30

v0.3.31

v0.3.32

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.3.9