CVE-2024-7035 in open-webui
Summary
by MITRE • 03/20/2025
In version v0.3.8 of open-webui/open-webui, sensitive actions such as deleting and resetting are performed using the GET method. This vulnerability allows an attacker to perform Cross-Site Request Forgery (CSRF) attacks, where an unaware user can unintentionally perform sensitive actions by simply visiting a malicious site or through top-level navigation. The affected endpoints include /rag/api/v1/reset, /rag/api/v1/reset/db, /api/v1/memories/reset, and /rag/api/v1/reset/uploads. This impacts both the availability and integrity of the application.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/29/2025
The vulnerability identified as CVE-2024-7035 resides within the open-webui/open-webui application version 0.3.8 and represents a critical security flaw involving improper handling of sensitive operations through HTTP GET requests. This design decision fundamentally undermines the application's security posture by exposing core administrative functions to cross-site request forgery attacks. The affected endpoints including /rag/api/v1/reset, /rag/api/v1/reset/db, /api/v1/memories/reset, and /rag/api/v1/reset/uploads all utilize GET methods for operations that should inherently be protected through POST requests. This configuration creates a dangerous attack surface where malicious actors can craft specially designed web pages or links that automatically trigger these sensitive operations when accessed by authenticated users. The vulnerability directly maps to CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in web applications. According to the ATT&CK framework, this represents a technique categorized under T1566.002 for Phishing with Social Engineering, where the attack leverages the trust relationship between the user and the application to execute unauthorized actions. The technical flaw stems from the application's failure to implement proper CSRF protection mechanisms, specifically the absence of anti-CSRF tokens or other validation methods that would normally be required for state-changing operations. When a user visits a malicious website containing embedded requests to these endpoints, the browser automatically executes the GET requests without user confirmation, leading to unintended consequences. This flaw impacts both the availability and integrity of the application by allowing unauthorized deletion of data, database resets, and memory clearing operations that can result in complete data loss or service disruption. The operational impact extends beyond simple data loss as these actions can compromise the entire application environment, potentially leading to further exploitation opportunities and persistent security breaches.
The implementation of GET requests for sensitive operations violates fundamental web security principles and best practices established by organizations such as the Open Web Application Security Project OWASP. The vulnerability demonstrates a clear lack of proper input validation and request method enforcement within the application's API design. Standard security protocols dictate that any operation that modifies application state or data should utilize POST requests, which inherently provide better protection against CSRF attacks compared to GET requests that are designed for data retrieval only. The affected endpoints represent critical system functions that should require explicit user confirmation and proper authentication verification before execution. Without proper CSRF protection mechanisms, the application becomes vulnerable to attacks that can be executed through simple web page embedding or email links, making it particularly dangerous in environments where users may browse untrusted websites or receive malicious communications. The vulnerability's exploitation requires minimal technical skill from attackers, as the malicious payload can be contained within a single HTML page or embedded in existing web content, making it an attractive target for automated attack tools. This flaw creates a persistent risk that cannot be easily mitigated through user education alone, since the attack can occur simply through navigation to malicious sites or embedded content within legitimate applications.
Mitigation strategies for CVE-2024-7035 should focus on immediate implementation of proper request method enforcement and CSRF protection mechanisms. The most effective solution involves changing the HTTP methods for sensitive operations from GET to POST, which inherently provides better security characteristics and aligns with web application security standards. Additionally, implementing anti-CSRF tokens within all state-changing operations would provide robust protection against unauthorized requests. The application should also enforce proper request validation including referer header checking and origin validation to ensure requests originate from legitimate sources. Security headers such as Content Security Policy and X-Frame-Options should be implemented to prevent the application from being embedded in malicious sites. Regular security assessments and code reviews should be conducted to identify similar vulnerabilities in other endpoints, particularly those handling user data modifications or administrative functions. Organizations should also implement proper logging and monitoring of sensitive operations to detect unauthorized usage patterns. The fix should include comprehensive testing to ensure that all affected endpoints properly enforce the new security measures without breaking legitimate application functionality. Updates to the application should be prioritized and deployed immediately, with thorough validation to prevent regression issues. This vulnerability serves as a reminder of the critical importance of proper API security design and the need for continuous security awareness in application development processes.