Platform
other
Component
new-api
Fixed in
0.9.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in New API, a large language model (LLM) gateway and AI asset management system. This flaw, present in versions prior to 0.9.0.5, allows authenticated users to manipulate the server into making requests to arbitrary URLs. Exploitation can lead to unauthorized access and potential data exposure, impacting the confidentiality and integrity of the system.
The SSRF vulnerability in New API allows an authenticated attacker to craft malicious URLs that the server will then process. This bypasses intended security controls, enabling the attacker to potentially access internal resources, sensitive data, or even interact with other systems behind the firewall. The scope of the attack is limited by the attacker's ability to craft URLs that the server will accept. Successful exploitation could lead to information disclosure, privilege escalation (if internal services are accessible), and potentially even denial-of-service if the attacker can trigger resource exhaustion on the server or target systems. While user registration is often enabled by default, this makes exploitation easier.
This vulnerability was publicly disclosed on 2025-10-09. The CVSS score of 8.5 (HIGH) indicates a significant risk. No public proof-of-concept (PoC) code has been observed at the time of writing, but the SSRF nature of the vulnerability makes it relatively straightforward to exploit. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59146 is to immediately upgrade New API to version 0.9.0.5 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as strict URL validation on the server-side, restricting access to the vulnerable endpoint, and implementing a Web Application Firewall (WAF) with rules to block suspicious URL patterns. Monitor access logs for unusual outbound requests originating from the New API server.
Update to version 0.9.0.5 or later. If you cannot update immediately, enable the new-api image processing worker (new-api-worker) and/or configure outbound firewall rules to mitigate the SSRF vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59146 is a HIGH severity SSRF vulnerability affecting New API versions prior to 0.9.0.5, allowing authenticated users to make unauthorized server-side requests.
You are affected if you are using New API version 0.9.0.5 or earlier. Verify your version and upgrade immediately.
Upgrade New API to version 0.9.0.5 or later. As a temporary workaround, implement strict URL validation and WAF rules.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability makes it easily exploitable, and exploitation is possible.
Refer to the official New API security advisory for detailed information and updates: [Placeholder - Insert Link to Advisory Here]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.