GHSA-w466-2wfc-8g58

Source

https://github.com/advisories/GHSA-w466-2wfc-8g58

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-w466-2wfc-8g58/GHSA-w466-2wfc-8g58.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-w466-2wfc-8g58

Published

2025-03-20T12:32:44Z

Modified

2025-04-15T19:46:34.924495Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Open WebUI has vulnerable dependency on starlette via fastapi

Details

In version 0.3.32 of open-webui, the application uses a vulnerable version of the starlette package through its dependency on fastapi. The starlette package versions <=0.49 are susceptible to uncontrolled resource consumption, which can be exploited to cause a denial of service through memory exhaustion. This issue is addressed in fastapi version 0.115.3.

Database specific

{
    "severity": "HIGH",
    "github_reviewed": true,
    "nvd_published_at": "2025-03-20T10:15:30Z",
    "github_reviewed_at": "2025-03-21T18:51:44Z",
    "cwe_ids": [
        "CWE-400"
    ]
}

References

Affected packages

PyPI / open-webui

Package

Name: open-webui; View open source insights on deps.dev
Purl: pkg:pypi/open-webui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.3.32

Affected versions

0.*

0.1.124

0.1.125

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.3.10

0.3.12

0.3.13

0.3.14

0.3.15

0.3.16

0.3.17.dev2

0.3.17.dev3

0.3.17.dev4

0.3.17.dev5

0.3.17

0.3.18

0.3.19

0.3.20

0.3.21

0.3.22

0.3.23

0.3.24

0.3.25

0.3.26

0.3.27.dev1

0.3.27.dev2

0.3.27.dev3

0.3.27

0.3.28

0.3.29

0.3.30.dev1

0.3.30.dev2

0.3.30

0.3.31.dev1

0.3.31

0.3.32