GHSA-6wj5-5pgr-jwq8 — HIGH (CVSS 7.5) AI Security Vulnerability

Q: Is GHSA-6wj5-5pgr-jwq8 actively exploited?

No confirmed active exploitation of GHSA-6wj5-5pgr-jwq8 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-6wj5-5pgr-jwq8?

1. Patch immediately: upgrade open-webui to >= 0.4.7, which pins python-multipart to a patched version (fixes GHSA-59g5-xgcq-4qw3 / CVE-2024-53981). 2. If patching is not immediately possible: block or rate-limit file upload endpoints (/api/v1/files or equivalent) at WAF/reverse proxy; reject multipart/form-data requests with boundary strings exceeding 70 characters (RFC 2046 limit). 3. Audit your full Python AI stack for python-multipart < 0.0.18—FastAPI, Starlette, and other frameworks share this dependency. 4. Detection: monitor for CPU saturation spikes or HTTP 5xx error bursts correlated with multipart POST requests to file upload endpoints. 5. In cloud deployments, set resource quotas (CPU limits) on the open-webui container to bound the DoS blast radius.

Q: What systems are affected by GHSA-6wj5-5pgr-jwq8?

This vulnerability affects the following AI/ML architecture patterns: ML UI/Chat interfaces, self-hosted LLM deployments, model serving.

Q: What is the CVSS score for GHSA-6wj5-5pgr-jwq8?

GHSA-6wj5-5pgr-jwq8 has a CVSS v3.1 base score of 7.5 (HIGH).

CISO Take

An unauthenticated attacker can crash open-webui entirely by sending a file upload request with an oversized multipart boundary string—no credentials or AI knowledge required. Any team running open-webui for self-hosted LLM access (Ollama, OpenAI-compatible backends) must patch to 0.4.7 immediately. Until patched, block or rate-limit file upload endpoints at the WAF or reverse proxy layer.

Risk Assessment

CVSS 7.5 HIGH with network-accessible, zero-authentication, zero-user-interaction exploitation. The attack is trivially simple—crafting a malformed multipart HTTP request requires no AI/ML expertise. Open-webui is widely deployed in enterprise and research environments as the primary interface to self-hosted LLMs, meaning a successful attack takes down all model interactions for every user on the instance. Not in CISA KEV, but the low exploitation bar and high deployment prevalence elevate operational risk significantly above what the CVSS score alone suggests.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
open-webui	pip	< 0.4.7	`0.4.7`
135.3K Pushed 8d ago 58% patched ~9d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch immediately: upgrade open-webui to >= 0.4.7, which pins python-multipart to a patched version (fixes GHSA-59g5-xgcq-4qw3 / CVE-2024-53981).
If patching is not immediately possible: block or rate-limit file upload endpoints (/api/v1/files or equivalent) at WAF/reverse proxy; reject multipart/form-data requests with boundary strings exceeding 70 characters (RFC 2046 limit).
Audit your full Python AI stack for python-multipart < 0.0.18—FastAPI, Starlette, and other frameworks share this dependency.
Detection: monitor for CPU saturation spikes or HTTP 5xx error bursts correlated with multipart POST requests to file upload endpoints.
In cloud deployments, set resource quotas (CPU limits) on the open-webui container to bound the DoS blast radius.

Classification

DoS Framework API AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity of high-risk AI systems

ISO 42001

A.9.2 - AI system availability and resilience

NIST AI RMF

MS-2.5 - Resilience — AI system maintains functionality under adverse conditions

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is GHSA-6wj5-5pgr-jwq8?

An unauthenticated attacker can crash open-webui entirely by sending a file upload request with an oversized multipart boundary string—no credentials or AI knowledge required. Any team running open-webui for self-hosted LLM access (Ollama, OpenAI-compatible backends) must patch to 0.4.7 immediately. Until patched, block or rate-limit file upload endpoints at the WAF or reverse proxy layer.

Is GHSA-6wj5-5pgr-jwq8 actively exploited?

No confirmed active exploitation of GHSA-6wj5-5pgr-jwq8 has been reported, but organizations should still patch proactively.

How to fix GHSA-6wj5-5pgr-jwq8?

1. Patch immediately: upgrade open-webui to >= 0.4.7, which pins python-multipart to a patched version (fixes GHSA-59g5-xgcq-4qw3 / CVE-2024-53981). 2. If patching is not immediately possible: block or rate-limit file upload endpoints (/api/v1/files or equivalent) at WAF/reverse proxy; reject multipart/form-data requests with boundary strings exceeding 70 characters (RFC 2046 limit). 3. Audit your full Python AI stack for python-multipart < 0.0.18—FastAPI, Starlette, and other frameworks share this dependency. 4. Detection: monitor for CPU saturation spikes or HTTP 5xx error bursts correlated with multipart POST requests to file upload endpoints. 5. In cloud deployments, set resource quotas (CPU limits) on the open-webui container to bound the DoS blast radius.

What systems are affected by GHSA-6wj5-5pgr-jwq8?

This vulnerability affects the following AI/ML architecture patterns: ML UI/Chat interfaces, self-hosted LLM deployments, model serving.

What is the CVSS score for GHSA-6wj5-5pgr-jwq8?

GHSA-6wj5-5pgr-jwq8 has a CVSS v3.1 base score of 7.5 (HIGH).

Technical Details

NVD Description

A vulnerability in open-webui/open-webui version 79778fa allows an attacker to cause a Denial of Service (DoS) by uploading a file with a malformed multipart boundary. By appending a large number of characters to the end of the multipart boundary, the server continuously processes each character, rendering the application inaccessible. This issue can prevent all users from accessing the application until the server recovers.

Exploitation Scenario

An adversary targeting an organization's internal AI platform identifies an exposed open-webui instance—common in dev and research environments, frequently deployed without authentication. They craft a multipart/form-data POST to the file upload endpoint with a boundary value padded with thousands of characters (e.g., `Content-Type: multipart/form-data; boundary=--------AAAA...x10000`). The server's python-multipart parser iterates character-by-character through the oversized boundary, pegging CPU at 100%. Looped in a simple script, the attacker maintains persistent DoS with minimal bandwidth, blocking the entire team from accessing their LLM tooling indefinitely. No CVE exploitation skill, authentication, or AI expertise required—this is a trivial HTTP request crafting exercise.