[PR #24491] [MERGED] fix: prevent redirect-based SSRF in web-fetch and image-load call sites #114989

Closed
opened 2026-05-18 15:53:45 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/24491
Author: @Classic298
Created: 5/9/2026
Status: Merged
Merged: 5/9/2026
Merged by: @tjbck

Base: devHead: fix/ssrf-redirect-bypass-cluster


📝 Commits (1)

  • 9eb5004 fix: prevent redirect-based SSRF in web-fetch and image-load call sites

📊 Changes

3 files changed (+22 additions, -3 deletions)

View changed files

📝 backend/open_webui/retrieval/utils.py (+5 -1)
📝 backend/open_webui/retrieval/web/utils.py (+11 -0)
📝 backend/open_webui/routers/images.py (+6 -2)

📄 Description

validate_url() in retrieval/web/utils.py only validates the initial URL. The HTTP clients used downstream (sync requests, sync requests via the parent WebBaseLoader._scrape, aiohttp via load_url_image) followed 3xx redirects by default and did not re-validate the redirect target against the private-IP / metadata-IP block list. An authenticated user could submit a public URL that 302-redirected to an internal address (RFC1918, 127.0.0.1, 169.254.169.254, etc.) and the redirected response was returned to them, enabling SSRF reads of internal services and cloud metadata.

Three call sites needed allow_redirects=False to match the policy already enforced on the async _fetch() path:

  • SafeWebBaseLoader: override requests_kwargs in init so that the inherited synchronous _scrape() path passes allow_redirects=False to self.session.get() (the parent WebBaseLoader uses requests' default allow_redirects=True).
  • get_content_from_url (retrieval/utils.py): pass allow_redirects=False on the streamed requests.get(...) call.
  • load_url_image (routers/images.py, image-edits endpoint): pass allow_redirects=False on the aiohttp session.get(...) call.

Reports consolidated under GHSA-rh5x-h6pp-cjj6:

  • GHSA-rh5x-h6pp-cjj6 (tenbbughunters / Tenable) - sync _scrape
  • GHSA-5vxg-6gmv-m2qr (YLChen-007) - load_url_image
  • GHSA-hf76-c83f-63w2 (tempcollab) - aiohttp _fetch (already fixed)
  • GHSA-h55f-h5fh-mvm4 (sneaXOR) - get_content_from_url

Contributor License Agreement

Note

Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/24491 **Author:** [@Classic298](https://github.com/Classic298) **Created:** 5/9/2026 **Status:** ✅ Merged **Merged:** 5/9/2026 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `fix/ssrf-redirect-bypass-cluster` --- ### 📝 Commits (1) - [`9eb5004`](https://github.com/open-webui/open-webui/commit/9eb50041e83f41c5d5877dfee510202a557a8452) fix: prevent redirect-based SSRF in web-fetch and image-load call sites ### 📊 Changes **3 files changed** (+22 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/retrieval/utils.py` (+5 -1) 📝 `backend/open_webui/retrieval/web/utils.py` (+11 -0) 📝 `backend/open_webui/routers/images.py` (+6 -2) </details> ### 📄 Description validate_url() in retrieval/web/utils.py only validates the initial URL. The HTTP clients used downstream (sync requests, sync requests via the parent WebBaseLoader._scrape, aiohttp via load_url_image) followed 3xx redirects by default and did not re-validate the redirect target against the private-IP / metadata-IP block list. An authenticated user could submit a public URL that 302-redirected to an internal address (RFC1918, 127.0.0.1, 169.254.169.254, etc.) and the redirected response was returned to them, enabling SSRF reads of internal services and cloud metadata. Three call sites needed allow_redirects=False to match the policy already enforced on the async _fetch() path: - SafeWebBaseLoader: override requests_kwargs in __init__ so that the inherited synchronous _scrape() path passes allow_redirects=False to self.session.get() (the parent WebBaseLoader uses requests' default allow_redirects=True). - get_content_from_url (retrieval/utils.py): pass allow_redirects=False on the streamed requests.get(...) call. - load_url_image (routers/images.py, image-edits endpoint): pass allow_redirects=False on the aiohttp session.get(...) call. Reports consolidated under GHSA-rh5x-h6pp-cjj6: - GHSA-rh5x-h6pp-cjj6 (tenbbughunters / Tenable) - sync _scrape - GHSA-5vxg-6gmv-m2qr (YLChen-007) - load_url_image - GHSA-hf76-c83f-63w2 (tempcollab) - aiohttp _fetch (already fixed) - GHSA-h55f-h5fh-mvm4 (sneaXOR) - get_content_from_url ### Contributor License Agreement <!-- 🚨 DO NOT DELETE THE TEXT BELOW 🚨 Keep the "Contributor License Agreement" confirmation text intact. Deleting it will trigger the CLA-Bot to INVALIDATE your PR. Your PR will NOT be reviewed or merged until you check the box below confirming that you have read and agree to the terms of the CLA. --> - [x] By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. > [!NOTE] > Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-18 15:53:45 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#114989