Cyber Resilience

CVE-2024-12537

HighPublic PoCDDoS

Published: 20 March 2025

Published
20 March 2025
Modified
04 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0267 86.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12537 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Openwebui Open Webui. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked in the top 13.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2024-12537 is a denial-of-service vulnerability in version 0.3.32 of open-webui/open-webui, stemming from the absence of authentication on the `api/v1/utils/code/format` endpoint (CWE-770: Allocation of Resources Without Limits or Throttling). This allows unauthenticated attackers to send POST requests containing an excessively high volume of content, exhausting server resources and rendering it completely unresponsive. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting high availability impact with no confidentiality or integrity effects.

Any unauthenticated attacker with network access can exploit the vulnerability by crafting and sending a POST request with oversized content to the exposed endpoint. Successful exploitation leads to severe performance degradation, server unresponsiveness, or full service interruptions, denying access to legitimate users without requiring privileges, user interaction, or special conditions.

Details on mitigation, including any patches or workarounds, are available in the primary advisory published on Huntr at https://huntr.com/bounties/edabd06c-acc0-428c-a481-271f333755bc. The vulnerability was publicly disclosed on 2025-03-20.

EU & UK References

Vulnerability details

In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/utils/code/format` endpoint. If a malicious actor sends a POST request with an excessively high volume of content, the server could become completely unresponsive.…

more

This could lead to severe performance issues, causing the server to become unresponsive or experience significant degradation, ultimately resulting in service interruptions for legitimate users.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

The vulnerability enables unauthenticated resource exhaustion via oversized POST requests to a public endpoint, directly mapping to application exhaustion flood for denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0765Same product: Openwebui Open Webui
CVE-2026-0766Same product: Openwebui Open Webui
CVE-2024-7053Same product: Openwebui Open Webui
CVE-2026-44721Same product: Openwebui Open Webui
CVE-2026-45301Same product: Openwebui Open Webui
CVE-2026-44567Same product: Openwebui Open Webui
CVE-2026-44551Same product: Openwebui Open Webui
CVE-2026-44554Same product: Openwebui Open Webui
CVE-2026-26193Same product: Openwebui Open Webui
CVE-2026-44565Same product: Openwebui Open Webui

Affected Assets

openwebui
open webui
0.3.32

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

SC-5 implements denial-of-service protections like rate limiting and resource throttling to directly prevent resource exhaustion from oversized unauthenticated POST requests to the code format endpoint.

prevent

AC-14 limits permitted actions without identification or authentication, prohibiting unauthenticated access to the vulnerable api/v1/utils/code/format endpoint.

prevent

SI-9 restricts information inputs such as excessively large content volumes, directly mitigating the CWE-770 unbounded resource allocation flaw in the endpoint.

References