github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 19:08:59 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #13659] feat: CVEs and Evaluating Base Image Update #32516

New Issue
Closed
opened 2026-04-25 06:26:53 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-25 06:26:53 -05:00
Owner
Copy Link

Originally created by @Azzeo on GitHub (May 7, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/13659

Check Existing Issues

  • I have searched the existing issues and discussions.

Problem Description

A recent security scan (Trivy, 2025-05-07) of the ghcr.io/open-webui/open-webui:main Docker image has identified a number of vulnerabilities, including CRITICAL and HIGH severity CVEs. The current base image is python:3.11-slim-bookworm (Debian 12.10). Addressing these vulnerabilities and evaluating a newer base image would enhance the overall security and maintainability of the application.

Note that issue #12284 was closed, due to the base image being upgraded to python 3.12 #12520 . However, this pull request was reverted due to ARM64/linux cuda build failure.

Desired Solution you'd like

  • Systematically review and address the identified CRITICAL and HIGH severity vulnerabilities.
  • Prioritize patches or updates for affected libraries directly within the current image if newer base images are not immediately feasible or if specific library versions are pinned for compatibility.
  • We should address the underlying issues related to the #12520 ARM64/Cuda issues. However, not everyone uses ARM64 or Cuda in their OWU (e.g. if you're using VLLM or GPT models/Claude).

Alternatives Considered

  • Continuing with the current base image and attempting to patch individual packages. This might be complex and not cover all vulnerabilities if patches are not available for Debian 12.10.
  • Perhaps an updated base image can be used if not affected by these issues, and revert to 3.11 if using ARM64/Cuda

Additional Context

Total Found (High & Critical): 89
* CRITICAL: 4
* HIGH: 85
The current Dockerfile (FROM python:3.11-slim-bookworm AS base) installs a number of OS packages. Moving to a newer version of Debian when stable and suitable) or a regularly updated LTS base could provide more up-to-date security patches.

Originally created by @Azzeo on GitHub (May 7, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/13659 ### Check Existing Issues - [x] I have searched the existing issues and discussions. ### Problem Description A recent security scan (Trivy, 2025-05-07) of the `ghcr.io/open-webui/open-webui:main` Docker image has identified a number of vulnerabilities, including CRITICAL and HIGH severity CVEs. The current base image is `python:3.11-slim-bookworm` (Debian 12.10). Addressing these vulnerabilities and evaluating a newer base image would enhance the overall security and maintainability of the application. Note that issue #12284 was closed, due to the base image being upgraded to python 3.12 #12520 . However, this pull request was reverted due to ARM64/linux cuda build failure. ### Desired Solution you'd like - Systematically review and address the identified CRITICAL and HIGH severity vulnerabilities. - Prioritize patches or updates for affected libraries directly within the current image if newer base images are not immediately feasible or if specific library versions are pinned for compatibility. - We should address the underlying issues related to the #12520 ARM64/Cuda issues. However, not everyone uses ARM64 or Cuda in their OWU (e.g. if you're using VLLM or GPT models/Claude). ### Alternatives Considered * Continuing with the current base image and attempting to patch individual packages. This might be complex and not cover all vulnerabilities if patches are not available for Debian 12.10. * Perhaps an updated base image can be used if not affected by these issues, and revert to 3.11 if using ARM64/Cuda ### Additional Context **Total Found (High & Critical):** 89 * **CRITICAL:** 4 * **HIGH:** 85 The current Dockerfile (`FROM python:3.11-slim-bookworm AS base`) installs a number of OS packages. Moving to a newer version of Debian when stable and suitable) or a regularly updated LTS base could provide more up-to-date security patches.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#32516
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?