What is CVE-2025-64496?

CVE-2025-64496 is a high-severity vulnerability in Open-webui, classified under Eval Injection. CVSS score: 7.3/10. Published 2025-11-08.

How severe is CVE-2025-64496?

High severity. CVSS v3 base score is 7.3 out of 10.

RCE in Open-webui

CVE-2025-64496

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model ser…

EPSS: 0.001 (30.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.3 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N.

Affected products

Open-webui — versions < 0.6.35

Weakness classification (CWE)

References

https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx (x_refsource_CONFIRM)
https://github.com/open-webui/open-webui/commit/8af6a4cf21b756a66cd58378a01c60f74c39b7ca (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-64496?: CVE-2025-64496 is a high-severity vulnerability in Open-webui, classified under Eval Injection. CVSS score: 7.3/10. Published 2025-11-08.
How severe is CVE-2025-64496?: High severity. CVSS v3 base score is 7.3 out of 10.