CVE-2025-64496
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-08

Last updated on: 2025-11-26

Assigner: GitHub, Inc.

Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker's malicious model URL, achievable through social engineering of the admin and subsequent users. This issue is fixed in version 0.6.35.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-08
Last Modified
2025-11-26
Generated
2026-06-16
AI Q&A
2025-11-08
EPSS Evaluated
2026-06-14
NVD
CVE-2025-64496
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openwebui open_webui to 0.6.35 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
CWE-501 The product mixes trusted and untrusted data in the same data structure or structured message.
CWE-830 The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source.
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a code injection flaw in the Direct Connections feature of Open WebUI versions 0.6.224 and earlier. It allows malicious external model servers to execute arbitrary JavaScript in the browsers of victims through Server-Sent Event (SSE) execute events. The attack requires the victim to enable Direct Connections and add the attacker's malicious model URL, often through social engineering. This can lead to theft of authentication tokens, complete account takeover, and potentially remote code execution on the backend server when combined with the Functions API. The issue is fixed in version 0.6.35.

Impact Analysis

The vulnerability can lead to theft of authentication tokens and complete account takeover, allowing attackers to impersonate legitimate users. Additionally, if chained with the Functions API, it can enable remote code execution on the backend server, potentially compromising the entire system. This can result in unauthorized access, data breaches, and loss of control over the affected platform.

Mitigation Strategies

To mitigate this vulnerability, immediately disable the Direct Connections feature if it is enabled, as it is disabled by default. Avoid adding any untrusted or unknown model URLs to the Direct Connections list to prevent malicious external model servers from executing arbitrary JavaScript. Upgrade Open WebUI to version 0.6.35 or later, where this vulnerability is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64496. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart