diff --git a/advisories/unreviewed/2025/04/GHSA-2823-wfgm-j3hr/GHSA-2823-wfgm-j3hr.json b/advisories/unreviewed/2025/04/GHSA-2823-wfgm-j3hr/GHSA-2823-wfgm-j3hr.json index cb38528d19b5c..0950bd4c338af 100644 --- a/advisories/unreviewed/2025/04/GHSA-2823-wfgm-j3hr/GHSA-2823-wfgm-j3hr.json +++ b/advisories/unreviewed/2025/04/GHSA-2823-wfgm-j3hr/GHSA-2823-wfgm-j3hr.json @@ -6,19 +6,41 @@ "aliases": [ "CVE-2025-29446" ], - "details": "open-webui v0.5.16 is vulnerable to SSRF in routers/ollama.py in function verify_connection.", + "summary": "[DISPUTED BY VENDOR] open-webui SSRF in routers/ollama.py verify_connection", + "details": "> **DISPUTED BY VENDOR (Open WebUI maintainers).** This advisory does not describe a vulnerability. The cited endpoint (`routers/ollama.py:verify_connection`) is gated by an admin-only authentication dependency — reachable only by administrators verifying a model-server URL they themselves just configured. The \"attacker\" is the administrator typing a URL into a settings field they own. Out of scope per the Open WebUI security policy (Rule 9, Admin Actions). The vendor was not contacted before publication (originated from a personal markdown file in an unrelated GitHub repository, submitted directly to MITRE). A formal REJECT request is pending with MITRE. See: https://docs.openwebui.com/security/vendor-dispositions/cve-2025-29446/\n\n---\n\nopen-webui v0.5.16 is vulnerable to SSRF in routers/ollama.py in function verify_connection.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" } ], - "affected": [], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ] + } + ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29446" }, + { + "type": "WEB", + "url": "https://docs.openwebui.com/security/vendor-dispositions/cve-2025-29446" + }, { "type": "WEB", "url": "https://github.com/jcxj/jcxj/blob/master/source/_posts/open-webui-ssrf%E6%BC%8F%E6%B4%9E.md"