High CVSS 7.5

Overview

In version 0.3.8 of open-webui, an endpoint for converting markdown to HTML is exposed without authentication. A maliciously crafted markdown payload can cause the server to spend excessive time converting it, leading to a denial of service. The server becomes unresponsive to other requests until the conversion is complete.

Risk analysis

This vulnerability is rated 🟠 HIGH.

  • CVSS: 7.5 (HIGH)
  • Detected tags: dos, unauth_access (tag impact: HIGH)

Recommended actions:

  • Rate limiting, resource quotas and circuit breakers.
  • Enforce authentication/authorization; reduce default endpoint exposure.

Recommended tools

Tags