CVE-2024-12534 — HIGH (7.5)

Vulnerability Description

In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign-in process due to the lack of character length validation on these inputs. This vulnerability can lead to a Denial of Service (DoS) condition when a user submits excessively large strings, exhausting server resources such as CPU, memory, and disk space, and rendering the service unavailable for legitimate users. This makes the server susceptible to resource exhaustion attacks without requiring authentication.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Openwebui	Open Webui	0.3.32

Related Weaknesses (CWE)

CWE-400

References

https://huntr.com/bounties/c7c0a4e6-acd3-49b4-8684-2c2c27014b76ExploitThird Party Advisory

FAQ

What is CVE-2024-12534?

CVE-2024-12534 is a vulnerability with a CVSS score of 7.5 (HIGH). In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign-in process due to the lack of character length valid...

How severe is CVE-2024-12534?

CVE-2024-12534 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-12534?

Check the references section above for vendor advisories and patch information. Affected products include: Openwebui Open Webui.