GHSA-w466-2wfc-8g58 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any open-webui deployment at or below version 0.3.32 is exposed to unauthenticated denial-of-service — an attacker needs zero credentials and zero AI/ML knowledge to crash the service via memory exhaustion in the underlying starlette HTTP layer. Upgrade open-webui immediately and confirm fastapi >= 0.115.3 is present; if patching is blocked, place the service behind a rate-limiting reverse proxy as a compensating control. Availability-only impact limits blast radius, but internet-exposed LLM portals are trivially findable and exploitable.

Risk Assessment

High severity (CVSS 7.5) with network vector, low attack complexity, no privileges, and no user interaction required — the ideal profile for automated exploitation. The starlette vulnerability (CVE-2024-47874) is well-documented and tooling is available. Not currently in CISA KEV, reducing escalation urgency for most organizations. Risk is highest for teams that expose open-webui directly to the internet or on internal flat networks without rate limiting; in these scenarios, a single unskilled attacker can achieve full service unavailability with commodity HTTP tools.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
open-webui	pip	<= 0.3.32	No patch
135.3K Pushed 8d ago 58% patched ~9d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Upgrade open-webui to the first release that pins fastapi >= 0.115.3; verify with pip show starlette fastapi post-upgrade.
If immediate upgrade is blocked, deploy open-webui behind nginx or Caddy with aggressive connection rate limiting (limit_req, limit_conn) and request body size caps as compensating controls.
Restrict network exposure — open-webui should never be accessible from the internet without authentication and rate limiting at the perimeter.
Add memory usage monitoring and automated restart policies (systemd/Docker healthcheck) to reduce MTTR if exploitation occurs before patching.
Audit other FastAPI-based internal services for the same starlette dependency version.

Classification

DoS Supply Chain Framework API AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.9.7 - AI System Availability and Resilience

NIST AI RMF

GOVERN-6.2 - Policies and Procedures for AI Risk MANAGE-2.2 - AI Risk Response Planning

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is GHSA-w466-2wfc-8g58?

Any open-webui deployment at or below version 0.3.32 is exposed to unauthenticated denial-of-service — an attacker needs zero credentials and zero AI/ML knowledge to crash the service via memory exhaustion in the underlying starlette HTTP layer. Upgrade open-webui immediately and confirm fastapi >= 0.115.3 is present; if patching is blocked, place the service behind a rate-limiting reverse proxy as a compensating control. Availability-only impact limits blast radius, but internet-exposed LLM portals are trivially findable and exploitable.

Is GHSA-w466-2wfc-8g58 actively exploited?

No confirmed active exploitation of GHSA-w466-2wfc-8g58 has been reported, but organizations should still patch proactively.

How to fix GHSA-w466-2wfc-8g58?

1. Upgrade open-webui to the first release that pins fastapi >= 0.115.3; verify with `pip show starlette fastapi` post-upgrade. 2. If immediate upgrade is blocked, deploy open-webui behind nginx or Caddy with aggressive connection rate limiting (`limit_req`, `limit_conn`) and request body size caps as compensating controls. 3. Restrict network exposure — open-webui should never be accessible from the internet without authentication and rate limiting at the perimeter. 4. Add memory usage monitoring and automated restart policies (systemd/Docker healthcheck) to reduce MTTR if exploitation occurs before patching. 5. Audit other FastAPI-based internal services for the same starlette dependency version.

What systems are affected by GHSA-w466-2wfc-8g58?

This vulnerability affects the following AI/ML architecture patterns: LLM web interfaces, model serving, local LLM deployments, AI development environments.

What is the CVSS score for GHSA-w466-2wfc-8g58?

GHSA-w466-2wfc-8g58 has a CVSS v3.1 base score of 7.5 (HIGH).

Technical Details

NVD Description

In version 0.3.32 of open-webui, the application uses a vulnerable version of the starlette package through its dependency on fastapi. The starlette package versions <=0.49 are susceptible to uncontrolled resource consumption, which can be exploited to cause a denial of service through memory exhaustion. This issue is addressed in fastapi version 0.115.3.

Exploitation Scenario

An attacker discovers an internet-exposed open-webui instance via passive reconnaissance (Shodan, Censys — the default port 3000/8080 fingerprint is distinctive). Without credentials, they initiate a burst of HTTP requests crafted to trigger unbounded memory allocation in starlette — for example, malformed multipart uploads or chunked transfer-encoding requests that starlette fails to bound. Server RAM exhausts, the process is OOM-killed, and the LLM backend becomes inaccessible to all legitimate users. The entire attack chain requires only standard HTTP tooling (curl, wrk, or a Python script) and no understanding of AI/ML systems. In a worst-case scenario, repeated automated restarts are targeted to maintain a persistent DoS until patched.