CVE-2024-12534 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any internet-exposed open-webui instance on v0.3.32 or earlier can be taken offline by an unauthenticated attacker submitting oversized strings to the login endpoint—no credentials needed. If your team uses open-webui as a gateway to internal LLMs (Ollama, OpenAI-compatible backends), this means full service disruption with a trivial HTTP request. Patch or gate the endpoint behind a WAF/reverse proxy with body-size limits immediately.

Risk Assessment

Practical risk is HIGH for exposed deployments despite the low EPSS (0.00162). The attack is trivially reproducible—a single curl command with a multi-MB payload suffices. Attack surface is any public or intranet-facing open-webui login page, which is common in enterprise AI sandbox environments. No authentication barrier, no rate limit bypass needed. The saving grace is that open-webui is typically deployed internally, reducing external exposure, but lateral-movement scenarios from a compromised internal host are realistic.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
open-webui	npm	<= 0.3.32	No patch
136.3K Pushed today 58% patched ~9d to patch Full package profile →
open-webui	pip	<= 0.3.32	No patch
136.3K Pushed today 58% patched ~9d to patch Full package profile →

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 70% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade open-webui to any version > 0.3.32 once available; monitor the GitHub advisory GHSA-g3mx-83mp-3rwc for patch release.
IMMEDIATE WORKAROUND

Add nginx/Apache client_max_body_size 1m upstream of open-webui to reject oversized bodies at the reverse proxy layer.
RATE LIMIT

Apply rate limiting on the /api/v1/auths/signin endpoint (e.g., 10 req/min per IP via nginx limit_req).
NETWORK CONTROL

Restrict open-webui access to trusted IP ranges or require VPN—this eliminates unauthenticated external exposure entirely.
DETECT

Alert on POST requests to sign-in endpoint with Content-Length > 10KB or request processing time > 5s.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS API Framework AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.9.2 - Availability of AI Systems

NIST AI RMF

MANAGE 2.2 - Mechanisms for Responding to AI Risks

OWASP LLM Top 10

LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2024-12534?

Any internet-exposed open-webui instance on v0.3.32 or earlier can be taken offline by an unauthenticated attacker submitting oversized strings to the login endpoint—no credentials needed. If your team uses open-webui as a gateway to internal LLMs (Ollama, OpenAI-compatible backends), this means full service disruption with a trivial HTTP request. Patch or gate the endpoint behind a WAF/reverse proxy with body-size limits immediately.

Is CVE-2024-12534 actively exploited?

No confirmed active exploitation of CVE-2024-12534 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-12534?

1. PATCH: Upgrade open-webui to any version > 0.3.32 once available; monitor the GitHub advisory GHSA-g3mx-83mp-3rwc for patch release. 2. IMMEDIATE WORKAROUND: Add nginx/Apache `client_max_body_size 1m` upstream of open-webui to reject oversized bodies at the reverse proxy layer. 3. RATE LIMIT: Apply rate limiting on the `/api/v1/auths/signin` endpoint (e.g., 10 req/min per IP via nginx `limit_req`). 4. NETWORK CONTROL: Restrict open-webui access to trusted IP ranges or require VPN—this eliminates unauthenticated external exposure entirely. 5. DETECT: Alert on POST requests to sign-in endpoint with Content-Length > 10KB or request processing time > 5s.

What systems are affected by CVE-2024-12534?

This vulnerability affects the following AI/ML architecture patterns: LLM serving, AI chatbot platforms, Ollama deployments, Internal AI developer tooling.

What is the CVSS score for CVE-2024-12534?

CVE-2024-12534 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.62%.

Technical Details

NVD Description

In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign-in process due to the lack of character length validation on these inputs. This vulnerability can lead to a Denial of Service (DoS) condition when a user submits excessively large strings, exhausting server resources such as CPU, memory, and disk space, and rendering the service unavailable for legitimate users. This makes the server susceptible to resource exhaustion attacks without requiring authentication.

Exploitation Scenario

An adversary targeting an organization's internal AI platform identifies an exposed open-webui instance via Shodan or internal network scan. They craft a single HTTP POST to `/api/v1/auths/signin` with a 50MB string in the `password` field. The server begins processing the oversized payload—hashing the password candidate, logging the attempt, writing to disk—exhausting available memory and CPU. Within seconds, the server becomes unresponsive. Legitimate users—security analysts, developers, or automated AI pipelines—lose access to all LLM models proxied through open-webui. The attacker repeats the request via a script to maintain the outage, requiring no authentication and leaving minimal forensic trace beyond access logs showing large POST bodies.