open-webui Vulnerable to Stored XSS via Model Description

[!IMPORTANT] Relationship to CVE-2024-7990

CVE-2024-7990 (issued by huntr.dev, March 2025) describes a stored XSS in the same field — the model description — but exploits a different bypass mechanism: a second-order injection through the sanitizeResponseContent function's video-tag placeholder restoration logic in v0.3.x. That bypass was closed in v0.4.0 by removing the video exemption from the sanitizer.

The vulnerability described in this advisory is structurally distinct: a markdown-link payload with a javascript: URI passes through sanitizeResponseContent unchanged (no angle brackets), is then parsed by marked.parse() into an `` element, and rendered live by {@html}. This is a pipeline-ordering flaw where the dangerous construct is introduced after sanitization completes. Removing the video exemption has no effect on this primitive.

Affected range: v0.3.5 through v0.8.12 inclusive. Fixed in: v0.9.0 (commit 5eab125, which wraps marked.parse() output in DOMPurify.sanitize).

Both vulnerabilities are independently fixable under CVE rule 4.2.11. CVE assignment for this advisory has been requested separately on that basis.

Summary

This is a stored cross-site scripting (XSS) vulnerability that allows any authenticated user with model creation permission (workspace.models) to execute arbitrary JavaScript in the browser of any other user (including admins) who views the malicious model in the chat UI.

Details

Root Cause: Model descriptions are rendered in two Svelte components via this chain: sanitizeResponseContent(description) → .replaceAll('\n', '') → marked.parse() → {@html ...}

The model description is stored in the database without prior sanitization. Then uses this sanitization function before applying the results to the description.

index.ts:82-92

export const sanitizeResponseContent = (content: string) => {
    return content
        .replace(/