Audit of AI Assistant Reveals Potential CVEs
A security audit of a popular open-source AI assistant resulted in the identification of three potential CVEs. The vulnerabilities included insecure default configurations, an authentication bypass, and data exposure. The findings demonstrate that AI-powered tools are susceptible to classic security flaws and create new vectors for exploitation.
- One identified vulnerability, CVE-2025-63391, was an authentication bypass in Open WebUI versions up to 0.6.32 that affected the `/api/config` endpoint. This flaw allowed unauthenticated remote attackers to access sensitive system configuration data because the endpoint lacked proper access controls. - Another high-severity vulnerability, CVE-2025-64496, impacted Open WebUI versions 0.6.34 and older. Discovered by security researcher Vitaly Simonovich, this flaw in the "Direct Connections" feature could lead to account takeover and even remote code execution if the compromised user had `workspace.tools` permissions enabled. - The exploitation of CVE-2025-64496 involves tricking a user into connecting to a malicious, OpenAI-compatible model server. The hostile server can then send a crafted message that executes JavaScript in the user's browser, allowing the attacker to steal authentication tokens from localStorage. - The audit findings align with several categories in the OWASP Top 10 for Large Language Model Applications, a project created to raise awareness about new threats in AI systems. The data exposure and insecure configuration issues are related to risks like LLM06: Sensitive Information Disclosure and LLM07: Insecure Plugin Design. - Misconfigured Open WebUI instances have been exploited in the wild to deliver malware. In one campaign discovered by Sysdig, attackers exploited an instance left open to the internet with no authentication to upload malicious AI-generated Python code, which then deployed cryptominers and information stealers. - In addition to these issues, a Server-Side Request Forgery (SSRF) vulnerability, CVE-2025-65958, was found in versions prior to 0.6.37. This allowed any authenticated user to force the server to make HTTP requests to arbitrary URLs, potentially exposing internal network services and cloud metadata endpoints. - The Open WebUI development team has released patches for the identified vulnerabilities. For instance, the authentication bypass was fixed in versions after 0.6.32, the Direct Connections flaw was addressed in version 0.6.35, and the SSRF vulnerability was patched in version 0.6.37.
