Executive Summary

CVE-2025-65958 is a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI versions prior to 0.6.37. It allows any authenticated user to make the server send HTTP requests to arbitrary URLs without proper validation. This can be exploited to access sensitive internal resources such as cloud metadata endpoints (AWS, GCP, Azure), internal network services behind firewalls, localhost services, and internal APIs. The vulnerability arises because the server does not sufficiently validate or restrict URLs it fetches, enabling attackers to coerce the server into making unintended requests. [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive internal resources such as cloud metadata endpoints which can expose cloud credentials and lead to full cloud account takeover. Attackers can also scan internal networks, access internal services like databases, admin panels, Kubernetes API servers, and exfiltrate sensitive information such as documentation, configurations, and secrets. The attack requires only basic authentication, has low complexity, and can compromise confidentiality significantly while having low impact on integrity and no impact on availability. [2]

Useful 0 Not Useful 0

Detection Guidance

Detection can focus on identifying unauthorized or suspicious HTTP requests made by the Open WebUI server to internal or cloud metadata endpoints. Since the vulnerability allows authenticated users to make the server fetch arbitrary URLs, monitoring outgoing HTTP requests to sensitive IPs/domains such as 169.254.169.254 (AWS metadata), metadata.google.internal, or metadata.azure.com is key. Commands to detect such activity could include network monitoring tools or logs inspection, for example: 1. Using tcpdump to capture HTTP requests to sensitive IPs: sudo tcpdump -i any host 169.254.169.254 or sudo tcpdump -i any host metadata.google.internal 2. Using curl or wget to test if the vulnerable endpoint is accessible and can be exploited: curl -X POST -H "Authorization: Basic <credentials>" -d '{"url":"http://169.254.169.254/latest/meta-data/iam/security-credentials/"}' http://<open-webui-server>/api/v1/retrieval/process/web 3. Checking server logs for requests to the vulnerable endpoint with suspicious URLs. These approaches help detect exploitation attempts or presence of the vulnerability. [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include: 1. Upgrade Open WebUI to version 0.6.37 or later, where the vulnerability is fixed. 2. Apply the SSRF protection introduced in the patch, which includes a configurable blocklist filtering requests to sensitive internal IPs and domains (e.g., 169.254.169.254, metadata.google.internal, metadata.azure.com). 3. Configure or extend the blocklist via the environment variable WEB_FETCH_FILTER_LIST to ensure all sensitive endpoints are blocked. 4. Disable local web fetch if not needed by setting ENABLE_RAG_LOCAL_WEB_FETCH to false to prevent requests to private IPs. 5. Monitor and restrict authenticated user access to the vulnerable API endpoint if upgrading immediately is not possible. These steps prevent the server from making unauthorized HTTP requests to internal or cloud metadata services, mitigating the SSRF risk. [1, 2]

Useful 0 Not Useful 0