Files
open-webui/backend/open_webui/utils
de8ea08f5c Route user-supplied image-URL fetches through an SSRF-safe session (DNS rebinding, CWE-918) (#25960)
The connection-layer DNS-rebinding guard (_SSRFSafeResolver / _SSRFSafeAdapter, PR #24759) was
mounted only on SafeWebBaseLoader. Two user-reachable image fetches validate the URL then fetch
it through the shared get_session() pool with the default resolver, so a TTL-0 rebinding answer
that passed validate_url reaches an internal address at connect:

- get_image_base64_from_url (utils/files.py): user image_url on every chat completion.
- load_url_image (routers/images.py, POST /api/v1/images/edit): user-supplied image field.

Add get_ssrf_safe_session() (a one-off aiohttp session mounting _SSRFSafeResolver) and use it
for both fetches, so the connect-time IP is re-validated and a rebound loopback / RFC1918 /
metadata address is rejected. The shared pool is left untouched for the admin-configured
image-generation callers, which legitimately reach internal hosts.

Co-authored-by: dhyabi2 <32069256+dhyabi2@users.noreply.github.com>
Co-authored-by: geo-chen <2404584+geo-chen@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-16 23:36:53 +02:00
..
2026-06-01 13:56:55 -07:00
2026-06-01 13:56:55 -07:00
2026-04-19 19:15:05 +09:00
2026-06-13 02:13:51 +01:00
2026-06-01 13:56:55 -07:00
2026-06-05 16:58:16 -04:00
2026-06-01 13:56:55 -07:00
2026-06-16 23:24:27 +02:00
2026-06-01 13:56:55 -07:00
2026-06-01 13:56:55 -07:00
2026-06-01 13:56:55 -07:00
2026-06-01 13:56:55 -07:00