CVE-2024-12537
Published: 20 March 2025
Summary
CVE-2024-12537 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Openwebui Open Webui. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked in the top 14.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-5 implements denial-of-service protections like rate limiting and resource throttling to directly prevent resource exhaustion from oversized unauthenticated POST requests to the code format endpoint.
AC-14 limits permitted actions without identification or authentication, prohibiting unauthenticated access to the vulnerable api/v1/utils/code/format endpoint.
SI-9 restricts information inputs such as excessively large content volumes, directly mitigating the CWE-770 unbounded resource allocation flaw in the endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated resource exhaustion via oversized POST requests to a public endpoint, directly mapping to application exhaustion flood for denial of service.
NVD Description
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/utils/code/format` endpoint. If a malicious actor sends a POST request with an excessively high volume of content, the server could become completely unresponsive.…
more
This could lead to severe performance issues, causing the server to become unresponsive or experience significant degradation, ultimately resulting in service interruptions for legitimate users.
Deeper analysisAI
CVE-2024-12537 is a denial-of-service vulnerability in version 0.3.32 of open-webui/open-webui, stemming from the absence of authentication on the `api/v1/utils/code/format` endpoint (CWE-770: Allocation of Resources Without Limits or Throttling). This allows unauthenticated attackers to send POST requests containing an excessively high volume of content, exhausting server resources and rendering it completely unresponsive. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting high availability impact with no confidentiality or integrity effects.
Any unauthenticated attacker with network access can exploit the vulnerability by crafting and sending a POST request with oversized content to the exposed endpoint. Successful exploitation leads to severe performance degradation, server unresponsiveness, or full service interruptions, denying access to legitimate users without requiring privileges, user interaction, or special conditions.
Details on mitigation, including any patches or workarounds, are available in the primary advisory published on Huntr at https://huntr.com/bounties/edabd06c-acc0-428c-a481-271f333755bc. The vulnerability was publicly disclosed on 2025-03-20.
Details
- CWE(s)