AI Threat Alert

CVE-2024-7033

GHSA-3p9q-7w63-3f8q MEDIUM
Published March 20, 2025

In version 0.3.8 of open-webui/open-webui, an arbitrary file write vulnerability exists in the download_model endpoint. When deployed on Windows, the application improperly handles file paths,...

Full analysis pending. Showing NVD description excerpt.

Affected Systems

Package Ecosystem Vulnerable Range Patched
open-webui pip <= 0.3.8 No patch

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1
6.5 / 10
EPSS
1.2%
chance of exploitation in 30 days
KEV Status
Not in KEV
Sophistication
N/A

Recommended Action

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Technical Details

NVD Description

In version 0.3.8 of open-webui/open-webui, an arbitrary file write vulnerability exists in the download_model endpoint. When deployed on Windows, the application improperly handles file paths, allowing an attacker to manipulate the file path to write files to arbitrary locations on the server's filesystem. This can result in overwriting critical system or application files, causing denial of service, or potentially achieving remote code execution (RCE). RCE can allow an attacker to execute malicious code with the privileges of the user running the application, leading to a full system compromise.

Weaknesses (CWE)

CWE-29 Path Traversal: '..filename' Primary

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

References

Timeline

Published
March 20, 2025
Last Modified
March 21, 2025
First Seen
March 24, 2026
Back to Threat Feed