In version 0.3.8 of open-webui, an endpoint for converting markdown to HTML is exposed without authentication. A maliciously crafted markdown payload can cause the server to spend excessive time converting it, leading to a denial of service. The server becomes unresponsive to other requests until the conversion is complete.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| open-webui(PyPI) | 0 | N/A | N/A |
CVSS Metrics
