Open WebUI XSS Flaw (CVE-2025-64495) Risks Admin RCE via Malicious Prompts

The developers behind Open WebUI, an open-source and self-hosted AI interface framework, have issued a security advisory disclosing a high-severity vulnerability (CVE-2025-64495, CVSS 8.7) affecting versions up to 0.6.34. The flaw resides in the platform’s prompt-handling functionality when the “Insert Prompt as Rich Text” feature is enabled, allowing attackers to achieve stored DOM-based cross-site scripting (XSS) that can escalate to account takeover (ATO) or even remote code execution (RCE) on the host system.

According to the project maintainers, “The functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when ‘Insert Prompt as Rich Text’ is enabled, since the prompt body is assigned to the DOM sink .innerHTML without sanitisation.”

This means that any user with permission to create prompts can inject malicious HTML or JavaScript code into the platform, which will execute whenever another user interacts with the compromised prompt.

The vulnerability stems from a code fragment in open-webui/src/lib/components/common/RichTextInput.svelte at line 348, where user-supplied HTML is directly rendered in the browser.

“User-controlled HTML from the prompt body is assigned to tempDiv.innerHTML without (meaningful) sanitisation,” the advisory explains, adding that the Markdown parser used (marked.parse) “does not sanitise the content, as stated in their README.”

Researchers demonstrated a proof-of-concept (PoC) exploit where an attacker could craft a malicious prompt and trigger it using the /poc command in the chat interface. Upon execution, the injected payload would run in the victim’s browser context, potentially exfiltrating session tokens or performing unauthorized actions.

While this flaw is serious for any user, the risk becomes catastrophic if an administrator account is affected. The advisory warns that:

“Since admins can naturally run arbitrary Python code on the server via the ‘Functions’ feature, this XSS could be used to force any admin that triggers it to run one such function with Python code of the attacker’s choosing.”

By exploiting the XSS to impersonate legitimate admin requests, attackers can create and execute malicious server-side Python functions. One of the provided PoC payloads used the following technique:

fetch("https://<HOST>/api/v1/functions/create", {
  method: "POST",
  credentials: "include",
  headers: {
    "Content-Type": "application/json",
    "Accept": "application/json"
  },
  body: JSON.stringify({
    id: "pentest_cmd_test",
    name: "pentest cmd test",
    meta: { description: "pentest cmd test" },
    content: "import os;os.system('echo RCE')"
  })
})

If successfully triggered, the payload can open a reverse shell connection from the Open WebUI host, granting the attacker full command-line control.

The Open WebUI project has addressed this issue in version 0.6.35, which introduces proper HTML sanitization.

Users and administrators are strongly advised to upgrade immediately and verify that “Insert Prompt as Rich Text” remains disabled unless strictly required. Enabling Content Security Policy (CSP) and sandboxing mechanisms is also recommended to further reduce exposure.

Related Posts:

• AI Interface Hijacked: Open WebUI Exploited for Cryptominers and Stealthy AI Malware
• Microsoft Edge Achieves Sub-300ms FCP: Browser UI Now Loads Instantly
• CVE-2022-23494: XSS vulnerability affects the TinyMCE rich text editor

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.