|
| 1 | +--- |
| 2 | +sidebar_position: 800 |
| 3 | +title: "CVE-2024-7033" |
| 4 | +--- |
| 5 | + |
| 6 | +# CVE-2024-7033 |
| 7 | + |
| 8 | +| | | |
| 9 | +| :--- | :--- | |
| 10 | +| **CVE ID** | [CVE-2024-7033](https://www.cve.org/CVERecord?id=CVE-2024-7033) | |
| 11 | +| **Vendor Disposition** | Rejected, out of scope | |
| 12 | +| **Published** | 2025-03-20 | |
| 13 | +| **Issuing CNA** | huntr / Protect AI (from a [bounty report](https://huntr.com/bounties/7078261f-8414-4bb7-9d72-a2a4d8bfd5d1)) | |
| 14 | +| **Claimed Severity** | Medium (CVSS 6.5, CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H) | |
| 15 | + |
| 16 | +--- |
| 17 | + |
| 18 | +## Timeline |
| 19 | + |
| 20 | +This CVE is disputed. The assessment below is Open WebUI's position. |
| 21 | + |
| 22 | +| Date | Event | |
| 23 | +| :--- | :--- | |
| 24 | +| 2025-03-20 | huntr / Protect AI publishes the CVE. | |
| 25 | +| 2026-07-08 | Open WebUI publishes this disposition, rejecting the report as out of scope. | |
| 26 | +| 2026-07-08 | Open WebUI contacts huntr / Protect AI directly to dispute the record. | |
| 27 | + |
| 28 | +As of 2026-07-08, the dispute has been raised with the issuing CNA (huntr / Protect AI) and the CVE record has not been amended. This disposition stands as Open WebUI's official assessment. |
| 29 | + |
| 30 | +--- |
| 31 | + |
| 32 | +## What the CVE Claims |
| 33 | + |
| 34 | +The report, titled "Arbitrary File Write leading into Remote Code Execution when deployed in Windows", concerns the model-download endpoint. It explains that the endpoint downloads a file from a URL on an allowed host (`huggingface.co`), derives the destination filename from the URL path by splitting on `/` only, and writes it to `file_path = f"{UPLOAD_DIR}/{file_name}"`. Because backslashes are not handled, on a Windows host an administrator can submit a URL whose path contains `\..\` sequences (the proof of concept uses `https://huggingface.co/.../main/\..\..\..\..\..\WINDOWS\Temp\pwned`) and have the download written outside `UPLOAD_DIR` to an arbitrary path. The report argues this can overwrite system files and be escalated to remote code execution. It is classified as CWE-29 (path traversal, `\..\filename`). |
| 35 | + |
| 36 | +--- |
| 37 | + |
| 38 | +## Why This Is Out of Scope |
| 39 | + |
| 40 | +The endpoint, `POST /ollama/models/download` (the `download_model` handler), is gated by `Depends(get_admin_user)`. Only an administrator can call it. This was true in the reported version (v0.3.8) and remains true today, and it applies only to Windows deployments. The report's own CVSS vector scores this as **PR:H** (high privileges required): the party in the scenario is an administrator. |
| 41 | + |
| 42 | +### What This Actually Is |
| 43 | + |
| 44 | +The traversal is in the URL the administrator supplies, not in a model that acts on its own. The host allowlist checks only the URL prefix (`https://huggingface.co/`), and the filename is taken from the URL path split on `/`, so backslash sequences placed after the allowed prefix survive into the filename and, on Windows, resolve as path separators. The bytes written come from whatever repository the administrator points the request at (the proof of concept uses a repository the reporter created for the purpose). In plain terms, an administrator crafts a request that writes chosen content to a chosen path on the server they operate. A normal model download from a normal URL writes into `UPLOAD_DIR` as intended; the escape happens only when the administrator places traversal sequences in the URL themselves. |
| 45 | + |
| 46 | +### An Administrator Already Has This Capability |
| 47 | + |
| 48 | +An administrator operates the server and already has arbitrary file write and arbitrary code execution on it, directly (shell, container or host access) and through the application: installing Tools and Functions runs arbitrary Python on the server by design (see [Rule 10](/security/security-policy#reporting-guidelines)). Writing a file to an arbitrary path through a crafted download URL grants an administrator nothing they cannot already do in one line, and the report's escalation to "remote code execution" is circular, because an administrator already has code execution on the instance as a designed feature. Even in the variant where an administrator is tricked into submitting a crafted URL, that is social engineering of an administrator, which is out of scope, and it still yields only what the administrator already controls. There is no path by which an unprivileged user reaches this endpoint. |
| 49 | + |
| 50 | +### Applicable Security Policy Rules |
| 51 | + |
| 52 | +- **[Rule 9](/security/security-policy#reporting-guidelines):** The action requires an administrator, or, in the tricked-admin variant, social engineering of an administrator. Administrators have full system control, including server-level file access and code execution. |
| 53 | +- **[Rule 10](/security/security-policy#reporting-guidelines):** The "remote code execution" the report escalates to is functionality administrators already have. Running code on the server via Tools and Functions is intended behavior. |
| 54 | +- **[Rule 7](/security/security-policy#reporting-guidelines):** The report does not account for Open WebUI's self-hosted, role-based architecture, in which administrators are trusted operators of the server. |
| 55 | + |
| 56 | +--- |
| 57 | + |
| 58 | +## Impact to Users |
| 59 | + |
| 60 | +**No action required.** The endpoint is reachable only by administrators, applies only to Windows deployments, and grants no capability an administrator does not already have on the server they operate. There is no exposure to unprivileged users. |
| 61 | + |
| 62 | +--- |
| 63 | + |
| 64 | +## References |
| 65 | + |
| 66 | +- [CVE-2024-7033 on CVE.org](https://www.cve.org/CVERecord?id=CVE-2024-7033) |
| 67 | +- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2024-7033) |
| 68 | +- [huntr bounty report](https://huntr.com/bounties/7078261f-8414-4bb7-9d72-a2a4d8bfd5d1) |
| 69 | +- [Open WebUI Security Policy](../security-policy) |
0 commit comments