2.3.2
CVE-2025-64511 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in MaxKB, an open-source AI assistant for enterprise. This flaw allows attackers to potentially access internal network services, such as databases, through Python code within the tool module, despite the process operating within a sandbox. The vulnerability impacts versions of MaxKB prior to 2.3.1, and a fix has been released in version 2.3.1.
The SSRF vulnerability in MaxKB allows an attacker to craft malicious requests that originate from the server itself, effectively bypassing security controls. An attacker could leverage this to scan the internal network for exposed services, attempt to access sensitive data stored in internal databases, or even potentially execute commands on internal systems if those services are vulnerable. The sandbox environment provides some mitigation, but it is not a complete defense against SSRF exploitation. Successful exploitation could lead to data breaches, unauthorized access to internal resources, and potentially compromise the entire enterprise network.
This vulnerability was publicly disclosed on 2025-11-13. There are currently no known public proof-of-concept exploits available, but the SSRF nature of the vulnerability makes it likely that exploits will be developed. The EPSS score is currently pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting MaxKB.
Organizations utilizing MaxKB for AI-powered enterprise applications are at risk, particularly those with internal databases or services accessible via HTTP or other protocols. Environments with weak network segmentation or limited WAF protection are especially vulnerable. Users relying on MaxKB for sensitive data processing should prioritize patching.
• python / server:
import requests
import urllib3
http = urllib3.PoolManager()
def check_ssrf(url):
try:
r = http.request('GET', url, timeout=3)
if r.status == 200:
print(f"[+] SSRF possible: {url}")
else:
print(f"[-] SSRF not detected: {url}")
except Exception as e:
print(f"[-] Error checking {url}: {e}")
# Example usage (replace with internal URLs)
check_ssrf('http://localhost:5432')
check_ssrf('http://127.0.0.1:8080')• generic web:
curl -I http://<maxkb_server>/tool/module?url=http://localhost:5432 | grep HTTP/1.1disclosure
Exploit-Status
EPSS
0.08% (23% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-64511 is to immediately upgrade MaxKB to version 2.3.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing strict network segmentation to isolate MaxKB from sensitive internal resources. Additionally, implement a Web Application Firewall (WAF) with SSRF protection rules to filter outbound requests and block malicious URLs. Regularly review and audit the Python code within the tool module to identify and remediate any potential SSRF vulnerabilities.
Aktualisieren Sie MaxKB auf Version 2.3.1 oder höher. Diese Version behebt die SSRF-Vulnerabilität, die den Zugriff auf interne Netzwerkdienste ermöglicht. Das Update mildert das Risiko eines unbefugten Zugriffs auf die Datenbank und andere interne Ressourcen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-64511 is a Server-Side Request Forgery vulnerability in MaxKB versions prior to 2.3.1, allowing attackers to access internal network services through Python code, despite a sandbox.
If you are using MaxKB version 2.3.0 or earlier, you are affected by this SSRF vulnerability and should upgrade immediately.
Upgrade MaxKB to version 2.3.1 or later to resolve the SSRF vulnerability. Consider network segmentation and WAF rules as interim mitigations.
While no public exploits are currently known, the SSRF nature of the vulnerability suggests potential for exploitation. Monitor security advisories and threat intelligence.
Refer to the official MaxKB security advisory for detailed information and updates regarding CVE-2025-64511: [https://maxkb.ai/security/advisories/CVE-2025-64511]
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.