CVE-2025-29446 identifies a Server-Side Request Forgery (SSRF) vulnerability in the open-webui project, specifically in version 0.5.16 within the routers/ollama.py file, in the function verify_connection. SSRF vulnerabilities occur when an attacker can manipulate a server to make HTTP requests to unintended locations, potentially accessing internal systems or sensitive information that would otherwise be inaccessible. In this case, the vulnerability allows an attacker with limited privileges (PR:L) and no user interaction (UI:N) to induce the server to send requests to arbitrary internal or external resources. The CVSS v3.1 score is 3.3, indicating a low severity, primarily because the attack vector is local (AV:L), requiring some level of access to the system, and the impact is limited to confidentiality (C:L) with no impact on integrity or availability. The scope is unchanged (S:U), meaning the vulnerability affects only the vulnerable component without impacting other components. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is categorized under CWE-918, which corresponds to SSRF issues. The function verify_connection likely attempts to validate or test connectivity, but due to insufficient input validation or sanitization, it can be abused to perform SSRF attacks. This vulnerability could be leveraged to access internal services, metadata endpoints, or other restricted resources within the network environment where open-webui is deployed. However, exploitation requires local access or some level of privilege, limiting the attack surface.

For European organizations using open-webui v0.5.16, this SSRF vulnerability poses a limited but non-negligible risk. The primary impact is potential unauthorized disclosure of internal network information or sensitive data accessible via internal endpoints. Since the vulnerability requires local access or limited privileges, it is less likely to be exploited remotely by external attackers without initial compromise. However, in environments where open-webui is deployed on critical infrastructure or within sensitive internal networks, an attacker who gains limited access could pivot to internal services, potentially escalating their attack. The confidentiality impact could lead to exposure of internal APIs, configuration data, or cloud metadata services, which could facilitate further attacks. The lack of impact on integrity and availability reduces the risk of direct service disruption or data tampering. Given the low CVSS score and absence of known exploits, the immediate threat level is low, but organizations should not disregard the vulnerability, especially in high-security environments or where open-webui interfaces with sensitive systems.

1. Restrict access to the open-webui service to trusted users and networks only, minimizing the risk of local or limited privilege attackers exploiting the SSRF. 2. Implement network segmentation and firewall rules to prevent the open-webui host from making unauthorized requests to internal services or sensitive endpoints, such as cloud metadata servers or internal APIs. 3. Monitor and log outgoing requests from open-webui to detect unusual or unauthorized connection attempts indicative of SSRF exploitation. 4. Apply strict input validation and sanitization in the verify_connection function to ensure only legitimate and expected URLs or endpoints are accepted. 5. If possible, update to a patched version of open-webui once available or apply custom patches to fix the SSRF vulnerability in routers/ollama.py. 6. Conduct internal security assessments and penetration testing focusing on SSRF vectors within open-webui deployments. 7. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with SSRF detection capabilities to block suspicious requests.