Nixpkgs security tracker

Permalink CVE-2025-15603

3.7 LOW

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

updated 4 weeks, 1 day ago by @mweinelt Activity log

Created automatic suggestion 1 month ago
@mweinelt dismissed 4 weeks, 1 day ago

open-webui JWT Key start_windows.bat random values

A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUI_SECRET_KEY leads to insufficiently random values. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used.

References

VDB-349701 | open-webui JWT Key start_windows.bat random values vdb-entrytechnical-description
VDB-349701 | CTI Indicators (IOB, IOC, TTP, IOA) signaturepermissions-required
Submit #766444 | open-webui 6.16 Use of Hard-coded Cryptographic Key third-party-advisory
https://huntr.com/bounties/b9fc7fee-d25d-4100-9703-5e78a61e1ce4 exploit

Affected products

open-webui

==0.6.9
==0.6.1
==0.6.15
==0.6.12
==0.6.7
==0.6.11
==0.6.5
==0.6.3
==0.6.10
==0.6.14
==0.6.6
==0.6.0
==0.6.2
==0.6.8
==0.6.13
==0.6.4
==0.6.16

Matching in nixpkgs

pkgs.open-webui

Comprehensive suite for LLMs with a user-friendly WebUI

nixos-unstable 0.8.8
- nixpkgs-unstable 0.8.8
- nixos-unstable-small 0.8.8
nixos-25.11 0.8.8
- nixos-25.11-small 0.8.8
- nixpkgs-25.11-darwin 0.8.8

Package maintainers

@drupol Pol Dellaiera <pol.dellaiera@protonmail.com>
@shivaraj-bh Shivaraj B H <sbh69840@gmail.com>

0.6.x is older than everything we have

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.open-webui

Package maintainers