CVE-2025-15603 identifies a cryptographic weakness in open-webui versions 0.6.0 through 0.6.16, specifically within the JWT Key Handler component implemented in the backend/start_windows.bat script. The vulnerability stems from insufficient randomness in the generation of the WEBUI_SECRET_KEY, a critical secret used to sign JSON Web Tokens (JWTs). JWTs rely on strong secret keys to ensure token integrity and authenticity; weak or predictable keys can allow attackers to forge tokens or bypass authentication mechanisms. The vulnerability can be triggered remotely without requiring authentication or user interaction, but the attack complexity is high, indicating that exploitation demands advanced skills or conditions. The CVSS 4.0 base score is 6.3 (medium severity), reflecting the network attack vector, high complexity, and limited impact confined to confidentiality with no integrity or availability impact. No known exploits have been observed in the wild, but the public disclosure of the exploit increases the risk of future attacks. The lack of patches or official fixes at the time of publication necessitates immediate mitigation efforts by users of affected versions. This vulnerability highlights the critical importance of using cryptographically secure random values for secret keys in authentication systems to prevent token forgery and unauthorized access.

The primary impact of CVE-2025-15603 is the potential compromise of confidentiality through the forgery or manipulation of JWT tokens used in open-webui authentication or session management. Attackers exploiting this vulnerability could impersonate legitimate users or escalate privileges if the JWT tokens are trusted for access control. Although the attack complexity is high and no known active exploitation exists, the public availability of the exploit code increases the risk of targeted attacks, especially against organizations relying heavily on open-webui for web interface management. The vulnerability does not directly affect system integrity or availability but undermines trust in authentication mechanisms, potentially leading to unauthorized data access or control. Organizations with sensitive data or critical infrastructure using open-webui may face increased risk of data breaches or unauthorized administrative access. The scope is limited to affected open-webui versions, but given the wide range of versions impacted (0.6.0 to 0.6.16), many deployments could be vulnerable if not updated or mitigated.

1. Upgrade open-webui to a version beyond 0.6.16 once an official patch addressing CVE-2025-15603 is released. Monitor vendor advisories for updates. 2. If immediate patching is not possible, manually regenerate the WEBUI_SECRET_KEY using a cryptographically secure random number generator to ensure sufficient entropy and unpredictability. Avoid using default or weak keys. 3. Restrict network access to the open-webui backend, limiting exposure to trusted networks or VPNs to reduce remote attack surface. 4. Implement additional layers of authentication and authorization around the web UI to detect and block unauthorized token usage. 5. Monitor logs and authentication events for suspicious JWT token activity or anomalies indicating token forgery attempts. 6. Conduct security audits of JWT handling and secret management practices to ensure cryptographic best practices are followed. 7. Educate developers and administrators on the importance of secure key generation and management in authentication systems. 8. Consider deploying Web Application Firewalls (WAFs) with rules to detect abnormal JWT usage patterns as an interim protective measure.