[PR #23887] [CLOSED] fix: resolve 35 dependency CVEs including critical protobufjs RCE #43054

New Issue

GiteaMirror · 2026-04-25T14:45:56-05:00

GiteaMirror commented

2026-04-25 14:45:56 -05:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/23887
Author: @beejak
Created: 4/20/2026
Status: ❌ Closed

Base: dev ← Head: fix/dependency-cves

📝 Commits (10+)

fe6783c Merge pull request #19030 from open-webui/dev
fc05e0a Merge pull request #19405 from open-webui/dev
e3faec6 Merge pull request #19416 from open-webui/dev
9899293 Merge pull request #19448 from open-webui/dev
140605e Merge pull request #19462 from open-webui/dev
6f1486f Merge pull request #19466 from open-webui/dev
d95f533 Merge pull request #19729 from open-webui/dev
a727153 0.6.43 (#20093)
6adde20 Merge pull request #20394 from open-webui/dev
f9b0534 Merge pull request #20522 from open-webui/dev

📊 Changes

5 files changed (+123 additions, -201 deletions)

View changed files

📝 package-lock.json (+116 -194)
📝 package.json (+1 -1)
📝 src/lib/components/chat/FileNav.svelte (+2 -2)
📝 src/lib/components/common/FileItemModal.svelte (+2 -2)
📝 src/lib/utils/excelToTable.ts (+2 -2)

📄 Description

Summary

Two commits resolving all critical and high severity vulnerabilities.

Severity	Before	After
Critical	1	0
High	12	0
Medium	36	6
Low	1	8
Total	50	14

Commit 1 — `npm audit fix` (35 CVEs)

Critical resolved:

protobufjs — Arbitrary code execution (GHSA-h755-8qp9-cq85)

High resolved:

lodash / lodash-es — Code injection via _.template + prototype pollution
@sveltejs/kit — Unvalidated redirect DoS + BODY_SIZE_LIMIT bypass
@xmldom/xmldom — XML injection via unsafe CDATA serialization
chevrotain / chevrotain-allstar / langium — lodash-es chain
picomatch — Method injection + ReDoS via extglob quantifiers

Commit 2 — xlsx → @e965/xlsx (2 CVEs)

xlsx@0.18.5 (SheetJS) has two unresolved CVEs with no fix on npm — the package was abandoned. Both are exploitable via user-uploaded Excel files:

GHSA-4r6h-8v6p-xvw6 — Prototype Pollution when parsing malicious .xlsx files (HIGH)
GHSA-5pgg-2g8v-p4x9 — ReDoS via crafted spreadsheet content (HIGH)

Replaced with @e965/xlsx — the API-compatible community security fork. Three import lines changed, no API changes:

src/lib/utils/excelToTable.ts
src/lib/components/chat/FileNav.svelte
src/lib/components/common/FileItemModal.svelte

Testing

npm audit confirms 0 critical, 0 high after changes
Excel file preview: upload .xlsx, sheets render correctly
All existing import paths updated to @e965/xlsx (identical API)

Contributor License Agreement

I have read the Contributor License Agreement and by submitting this pull request, I agree to its terms.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/23887 **Author:** [@beejak](https://github.com/beejak) **Created:** 4/20/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `fix/dependency-cves` --- ### 📝 Commits (10+) - [`fe6783c`](https://github.com/open-webui/open-webui/commit/fe6783c16699911c7be17392596d579333fb110c) Merge pull request #19030 from open-webui/dev - [`fc05e0a`](https://github.com/open-webui/open-webui/commit/fc05e0a6c5d39da60b603b4d520f800d6e36f748) Merge pull request #19405 from open-webui/dev - [`e3faec6`](https://github.com/open-webui/open-webui/commit/e3faec62c58e3a83d89aa3df539feacefa125e0c) Merge pull request #19416 from open-webui/dev - [`9899293`](https://github.com/open-webui/open-webui/commit/9899293f050ad50ae12024cbebee7e018acd851e) Merge pull request #19448 from open-webui/dev - [`140605e`](https://github.com/open-webui/open-webui/commit/140605e660b8186a7d5c79fb3be6ffb147a2f498) Merge pull request #19462 from open-webui/dev - [`6f1486f`](https://github.com/open-webui/open-webui/commit/6f1486ffd0cb288d0e21f41845361924e0d742b3) Merge pull request #19466 from open-webui/dev - [`d95f533`](https://github.com/open-webui/open-webui/commit/d95f533214e3fe5beb5e41ec1f349940bc4c7043) Merge pull request #19729 from open-webui/dev - [`a727153`](https://github.com/open-webui/open-webui/commit/a7271532f8a38da46785afcaa7e65f9a45e7d753) 0.6.43 (#20093) - [`6adde20`](https://github.com/open-webui/open-webui/commit/6adde203cd292a9e3af9c64a2ae36b603fed096a) Merge pull request #20394 from open-webui/dev - [`f9b0534`](https://github.com/open-webui/open-webui/commit/f9b0534e0c442631d1cb7205169588b9b6204179) Merge pull request #20522 from open-webui/dev ### 📊 Changes **5 files changed** (+123 additions, -201 deletions) <details> <summary>View changed files</summary> 📝 `package-lock.json` (+116 -194) 📝 `package.json` (+1 -1) 📝 `src/lib/components/chat/FileNav.svelte` (+2 -2) 📝 `src/lib/components/common/FileItemModal.svelte` (+2 -2) 📝 `src/lib/utils/excelToTable.ts` (+2 -2) </details> ### 📄 Description ## Summary Two commits resolving **all** critical and high severity vulnerabilities. | Severity | Before | After | |---|---|---| | Critical | 1 | **0** | | High | 12 | **0** | | Medium | 36 | 6 | | Low | 1 | 8 | | **Total** | **50** | **14** | --- ## Commit 1 — `npm audit fix` (35 CVEs) **Critical resolved:** - **protobufjs** — Arbitrary code execution ([GHSA-h755-8qp9-cq85](https://github.com/advisories/GHSA-h755-8qp9-cq85)) **High resolved:** - **lodash / lodash-es** — Code injection via `_.template` + prototype pollution - **@sveltejs/kit** — Unvalidated redirect DoS + `BODY_SIZE_LIMIT` bypass - **@xmldom/xmldom** — XML injection via unsafe CDATA serialization - **chevrotain / chevrotain-allstar / langium** — lodash-es chain - **picomatch** — Method injection + ReDoS via extglob quantifiers --- ## Commit 2 — xlsx → @e965/xlsx (2 CVEs) `xlsx@0.18.5` (SheetJS) has two unresolved CVEs with no fix on npm — the package was abandoned. Both are exploitable via **user-uploaded Excel files**: - **[GHSA-4r6h-8v6p-xvw6](https://github.com/advisories/GHSA-4r6h-8v6p-xvw6)** — Prototype Pollution when parsing malicious `.xlsx` files (HIGH) - **[GHSA-5pgg-2g8v-p4x9](https://github.com/advisories/GHSA-5pgg-2g8v-p4x9)** — ReDoS via crafted spreadsheet content (HIGH) Replaced with `@e965/xlsx` — the API-compatible community security fork. Three import lines changed, no API changes: - `src/lib/utils/excelToTable.ts` - `src/lib/components/chat/FileNav.svelte` - `src/lib/components/common/FileItemModal.svelte` --- ## Testing - `npm audit` confirms 0 critical, 0 high after changes - Excel file preview: upload `.xlsx`, sheets render correctly - All existing import paths updated to `@e965/xlsx` (identical API) --- ## Contributor License Agreement I have read the [Contributor License Agreement](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT) and by submitting this pull request, I agree to its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-25 14:45:56 -05:00

GiteaMirror closed this issue

2026-04-25 14:45:57 -05:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#43054

[PR #23887] [CLOSED] fix: resolve 35 dependency CVEs including critical protobufjs RCE #43054