mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-11 10:34:13 -05:00
[PR #24491] [MERGED] fix: prevent redirect-based SSRF in web-fetch and image-load call sites #82552
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/24491
Author: @Classic298
Created: 5/9/2026
Status: ✅ Merged
Merged: 5/9/2026
Merged by: @tjbck
Base:
dev← Head:fix/ssrf-redirect-bypass-cluster📝 Commits (1)
9eb5004fix: prevent redirect-based SSRF in web-fetch and image-load call sites📊 Changes
3 files changed (+22 additions, -3 deletions)
View changed files
📝
backend/open_webui/retrieval/utils.py(+5 -1)📝
backend/open_webui/retrieval/web/utils.py(+11 -0)📝
backend/open_webui/routers/images.py(+6 -2)📄 Description
validate_url() in retrieval/web/utils.py only validates the initial URL. The HTTP clients used downstream (sync requests, sync requests via the parent WebBaseLoader._scrape, aiohttp via load_url_image) followed 3xx redirects by default and did not re-validate the redirect target against the private-IP / metadata-IP block list. An authenticated user could submit a public URL that 302-redirected to an internal address (RFC1918, 127.0.0.1, 169.254.169.254, etc.) and the redirected response was returned to them, enabling SSRF reads of internal services and cloud metadata.
Three call sites needed allow_redirects=False to match the policy already enforced on the async _fetch() path:
Reports consolidated under GHSA-rh5x-h6pp-cjj6:
Contributor License Agreement
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.