What is the severity of CVE-2024-12537?

CVE-2024-12537 is classified as a critical vulnerability due to the absence of authentication mechanisms allowing unauthenticated access.

How do I fix CVE-2024-12537?

To fix CVE-2024-12537, implement authentication mechanisms for the `api/v1/utils/code/format` endpoint.

Who is affected by CVE-2024-12537?

CVE-2024-12537 affects users of version 0.3.32 of the open-webui/open-webui software.

What type of attack can exploit CVE-2024-12537?

CVE-2024-12537 can be exploited through a denial of service attack by sending a POST request with an excessively large payload.

Is there a patch available for CVE-2024-12537?

As of now, check for updates from open-webui for any patches addressing CVE-2024-12537.

Vulnerability/
CVE-2024-12537

high

7.5

CWE

400 770

20/3/2025

4/4/2025

CVE-2024-12537: Unauthenticated Denial of Service in open-webui/open-webui

First published: Thu Mar 20 2025(Updated: )

In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/utils/code/format` endpoint. If a malicious actor sends a POST request with an excessively high volume of content, the server could become completely unresponsive. This could lead to severe performance issues, causing the server to become unresponsive or experience significant degradation, ultimately resulting in service interruptions for legitimate users.

Credit: security@huntr.dev

Affected Software	Affected Version	How to fix
open-webui
npm/open-webui	<=0.3.32
pip/open-webui	<=0.3.32
OpenWrt libuci	=0.3.32

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-12537?
CVE-2024-12537 is classified as a critical vulnerability due to the absence of authentication mechanisms allowing unauthenticated access.
How do I fix CVE-2024-12537?
To fix CVE-2024-12537, implement authentication mechanisms for the `api/v1/utils/code/format` endpoint.
Who is affected by CVE-2024-12537?
CVE-2024-12537 affects users of version 0.3.32 of the open-webui/open-webui software.
What type of attack can exploit CVE-2024-12537?
CVE-2024-12537 can be exploited through a denial of service attack by sending a POST request with an excessively large payload.
Is there a patch available for CVE-2024-12537?
As of now, check for updates from open-webui for any patches addressing CVE-2024-12537.

agent/title
agent/type
agent/first-publish-date
agent/description
agent/guess-ai
agent/software-canonical-lookup
agent/author
collector/github-advisory-latest
source/GitHub
alias/GHSA-chf7-q7m5-fq92
alias/CVE-2024-12537
collector/nvd-cve
source/NVD
agent/references
agent/source
collector/mitre-cve
source/MITRE
collector/github-advisory
agent/severity
agent/weakness
agent/last-modified-date
agent/softwarecombine
agent/tags
agent/event
collector/nvd-api
vendor/open-webui
canonical/open-webui
package-manager/npm
package-manager/pip
vendor/openwebui
canonical/openwrt libuci
version/openwrt libuci/0.3.32

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.