CVE-2024-7983 in open-webui
Summary
by MITRE • 03/20/2025
In version 0.3.8 of open-webui, an endpoint for converting markdown to HTML is exposed without authentication. A maliciously crafted markdown payload can cause the server to spend excessive time converting it, leading to a denial of service. The server becomes unresponsive to other requests until the conversion is complete.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/21/2025
The vulnerability identified as CVE-2024-7983 affects open-webui version 0.3.8 and represents a critical security flaw in the application's markdown to HTML conversion endpoint. This issue stems from the exposure of a server-side processing function that lacks proper authentication mechanisms, allowing any remote attacker to access the markdown conversion service without requiring valid credentials. The vulnerability specifically targets the HTML rendering functionality that processes user-provided markdown content, creating an attack surface where malicious actors can exploit the system's processing capabilities through crafted input payloads.
The technical implementation of this vulnerability involves the server's markdown parser being susceptible to time-consuming processing operations when handling specially crafted markdown content. Attackers can construct markdown payloads that contain excessive nesting levels, recursive structures, or other computationally expensive elements that cause the conversion process to consume disproportionate amounts of CPU time and memory resources. This behavior aligns with CWE-400, which categorizes the vulnerability as an unspecified weakness related to resource exhaustion through uncontrolled resource consumption. The processing-intensive nature of the attack means that legitimate users experience service degradation or complete unavailability of the system while the malicious conversion process executes, resulting in a denial of service condition that impacts the availability aspect of the system's security triad.
The operational impact of this vulnerability extends beyond simple service disruption as it represents a significant threat to system availability and user experience within the open-webui environment. When exploited, the vulnerability allows attackers to consume system resources indefinitely, potentially causing the server to become unresponsive to legitimate requests and preventing other users from accessing the application's functionality. This attack vector directly maps to ATT&CK technique T1499.004, which describes the use of resource exhaustion attacks to deny service to legitimate users. The vulnerability's exploitation requires minimal technical skill and can be automated, making it particularly dangerous for publicly accessible systems where the attack surface is not properly secured through authentication controls.
Mitigation strategies for CVE-2024-7983 should prioritize immediate implementation of authentication controls to restrict access to the markdown conversion endpoint, ensuring that only authorized users can utilize the functionality. System administrators should implement rate limiting and resource consumption monitoring to detect and prevent abuse of the conversion service. The application should also incorporate input validation and sanitization measures to identify and reject potentially malicious markdown payloads before processing begins. Additionally, implementing timeouts and maximum processing limits for conversion operations can prevent indefinite resource consumption, while regular security updates and patch management should be maintained to address similar vulnerabilities in the codebase. The fix should include proper access controls as recommended by CWE-285, which emphasizes the importance of authentication and authorization mechanisms to protect system resources from unauthorized access.