CVE-2025-29446
| CVE ID | CVE-2025-29446 |
| Vendor Disposition | Rejected — not a vulnerability |
| Published | 2025-04-21 |
| Issuing CNA | MITRE |
| Claimed Severity | Low (CVSS 3.3 — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) |
| CWE | CWE-918 (Server-Side Request Forgery) |
What the CVE Claims
The verify_connection function in backend/open_webui/routers/ollama.py performs an outbound HTTP request using a URL string supplied by the caller, without sufficient URL validation, allowing the URL parameter to point to internal services (SSRF). The reported PoC sends POST /ollama/verify with a body such as {"url":"http://attacker/?id=1' or 1=1 -- #","key":""}, where the trailing # truncates the appended /api/version path, causing the server to make an arbitrary GET request to the attacker-supplied URL.
Why This Is Not a Vulnerability
The endpoint POST /ollama/verify is gated by a Depends(get_admin_user) authentication dependency. It is reachable only by administrators. Its sole purpose is to allow the administrator to verify that an Ollama model server URL — which the administrator themselves has just configured — responds correctly.
The "Attacker" Is the Administrator
The "attacker" in the cited scenario is the administrator entering a URL into a settings field that they own. The administrator can, of course, point the URL at internal services — that is the entire purpose of configuring a model server URL — but doing so does not constitute crossing a privilege boundary. There is no path by which an unprivileged user can reach this endpoint.
The same pattern (admin-authenticated outbound URL probe to verify a configured integration endpoint) is present in analogous router files for other model-provider integrations. None of these are reachable by unprivileged users.
Applicable Security Policy Rules
- Rule 9: "Vulnerabilities that require an administrator to actively perform unsafe actions are not considered valid vulnerabilities. Admins have full system control and are expected to understand the security implications of their actions and configurations."
Disclosure Pathway
No report corresponding to this CVE was filed through the project's official reporting channel (GitHub Security Advisories) prior to publication.
Impact to Users
No action required. The cited endpoint is accessible only to administrators and serves its intended purpose of verifying admin-configured model server URLs.