Cato CTRL™ Threat Research: Vulnerability Discovered in Open WebUI Enables Account Takeover and Remote Code Execution (CVE-2025-64496)

Cato CTRL™ Threat Research: Vulnerability Discovered in Open WebUI Enables Account Takeover and Remote Code Execution (CVE-2025-64496)

Open WebUI v0.6.34 and older contain a high-severity vulnerability (CVE-2025-64496, CVSS 7.3) in the Direct Connections feature that lets a malicious model server stream SSE “execute” events which run JavaScript in the user’s browser, enabling JWT theft and account takeover. If a compromised user has workspace.tools permission, the attacker can create malicious Tools that run unsandboxed Python via exec() on the backend, leading to full server compromise; update to v0.6.35 or newer. #OpenWebUI #CVE-2025-64496

Keypoints

  • Researcher Vitaly Simonovich (Cato CTRL) discovered CVE-2025-64496 affecting Open WebUI v0.6.34 and older when Direct Connections are enabled.
  • The flaw allows streamed SSE “execute” events to be evaluated via new Function(), causing arbitrary JavaScript execution in a victim’s browser and rapid JWT exfiltration from localStorage.
  • Account takeover consequences include access to chats, uploaded documents, API keys, and the ability to impersonate victims indefinitely.
  • Conditional RCE: if the compromised account has workspace.tools permission, stolen tokens can be used to create Tools that execute arbitrary unsandboxed Python (exec()), leading to full server compromise.
  • Open WebUI patched the issue in v0.6.35 by blocking execute events from Direct Connections; organizations should update and restrict Direct Connections and workspace.tools grants.
  • Cato SASE Cloud (ATP, IPS, ZTNA) and Cato MDR detect and block exploitation behaviors and abnormal JavaScript/token exfiltration patterns related to this CVE.

MITRE Techniques

  • [T1059.007 ] Command and Scripting Interpreter: JavaScript – Browser-side execution via dynamic evaluation: ‘evaluates data.code with new Function()’
  • [T1555.003 ] Credentials from Web Browsers – Tokens stolen from browser storage: ‘JSON web token (JWT) theft from localStorage.’
  • [T1204.002 ] User Execution: Malicious Link – User tricked into adding a malicious Direct Connection URL: ‘User adds a malicious Direct Connection URL’
  • [T1190 ] Exploit Public-Facing Application – Exploitation path using SSE execute events to trigger code execution: ‘Malicious SSE execute event → JavaScript runs via new Function() → token exfiltration → optional RCE via Tools API’
  • [T1567.002 ] Exfiltration Over Web Service – Exfiltration of stolen tokens to attacker-controlled server: ‘Token sent to threat actor’s server’
  • [T1203 ] Exploitation of Vulnerability – Backend remote code execution via unsandboxed exec() in Tools API: ‘The Tools API executes untrusted Python code via exec() without sandboxing or validation’

Indicators of Compromise

  • [CVE ] vulnerability identifier – CVE-2025-64496
  • [Software Version ] affected builds – Open WebUI v0.6.34 and older (v0.6.35+ patched)
  • [File path ] vulnerable frontend component – src/lib/components/chat/Chat.svelte
  • [API Endpoint ] vulnerable backend API – POST /api/v1/tools/create (executes untrusted Python when workspace.tools is granted)
  • [Auth Token ] stolen credential artifact – JWT from localStorage (token exfiltrated to attacker-controlled server)
  • [Malicious Endpoint ] attacker-controlled Direct Connection URL – malicious model/SSE endpoint used to deliver execute events (example: attacker-controlled model URL), and other similar endpoints observed during exploitation attempts


Read more: https://www.catonetworks.com/blog/cato-ctrl-vulnerability-discovered-open-webui-cve-2025-64496/