Listen to this Post
The vulnerability exists in Open WebUI’s frontend JavaScript code responsible for handling Server-Sent Events (SSE) from externally configured model servers. When the “Direct Connections” feature is enabled, the application adds an event listener for SSE streams. This listener checks for an event type named ‘execute’. Upon receiving such an event, the code within the event’s data is directly passed to the `new Function()` constructor and executed. The critical flaw is the lack of validation or sanitization of the incoming ‘execute’ event data, which originates from an untrusted external server controlled by an attacker. This allows a malicious model server to send a crafted SSE stream containing JavaScript code. When a user interacts with the malicious model, this code is executed in the victim’s browser context, leading to theft of the JWT authentication token stored in localStorage.
Platform: Open WebUI
Version: <=0.6.33
Vulnerability: Code Injection
Severity: Critical
date: 2025-10-08
Prediction: 2025-10-22
What Undercode Say:
docker logs open-webui -f | grep AUTO_EXPLOIT_OUTPUT uv run python auto_exploit.py curl -H "Authorization: Bearer $TOKEN" 'http://localhost:3000/api/v1/auths/'
if (event.type === 'execute') {
const func = new Function(event.data.code);
await func();
}
How Exploit:
Malicious server sends SSE.
‘execute’ event triggers handler.
`new Function()` executes payload.
Token exfiltrated via fetch.
Protection from this CVE
Disable Direct Connections.
Patch to v0.6.34+.
Validate external servers.
Sanitize SSE events.
Impact:
Authentication token theft.
Complete account takeover.
Remote code execution.
Data exfiltration.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
