CVE-2024-12868 in open-webui
Summary
by MITRE • 03/20/2025
In version 0.3.32 of open-webui, the application uses a vulnerable version of the starlette package through its dependency on fastapi. The starlette package versions <=0.49 are susceptible to uncontrolled resource consumption, which can be exploited to cause a denial of service through memory exhaustion. This issue is addressed in fastapi version 0.115.3.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/20/2025
The vulnerability identified as CVE-2024-12868 affects open-webui version 0.3.32 and stems from a dependency on the starlette package through fastapi. This represents a critical security weakness that can be exploited to execute denial of service attacks against the application. The root cause lies in the use of vulnerable starlette package versions that are less than or equal to 0.49, which contain a flaw allowing for uncontrolled resource consumption that ultimately leads to memory exhaustion. The vulnerability is particularly concerning because it directly impacts the availability of the web application by consuming system resources at an unbounded rate.
The technical flaw manifests through resource consumption patterns that are not properly bounded or controlled within the starlette framework. When exploited, this vulnerability allows an attacker to cause the application to consume excessive memory resources until the system becomes unresponsive or crashes entirely. This type of vulnerability falls under the CWE-400 category of "Uncontrolled Resource Consumption" which is classified as a denial of service weakness. The attack vector is typically through crafted requests that trigger the resource exhaustion behavior, making it particularly dangerous in web applications where users can submit requests that may be processed without adequate resource limits.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise the entire system stability. When memory exhaustion occurs, it can cause the application to become unresponsive, leading to extended downtime and potential data loss. In production environments, this vulnerability could be exploited by malicious actors to perform sustained denial of service attacks against the open-webui application, effectively rendering it unusable for legitimate users. The vulnerability affects the core functionality of the web application and can result in cascading failures if the application is part of a larger system architecture.
Mitigation strategies should focus on updating the affected dependencies to versions that address the resource consumption issue. The most effective solution involves upgrading fastapi to version 0.115.3 or later, which includes the patched starlette dependency. Organizations should also implement resource monitoring and limiting mechanisms to detect and prevent abnormal resource consumption patterns. Additionally, network-level protections such as rate limiting and request filtering can help reduce the impact of potential exploitation attempts. This vulnerability aligns with ATT&CK technique T1499.004 for "Evasion: File System Weakening" and represents a clear example of how third-party library vulnerabilities can compromise application availability and security posture.