Platform
go
Component
github.com/quantumnous/new-api
Fixed in
0.9.7
0.9.6
CVE-2025-62155 describes a Server-Side Request Forgery (SSRF) vulnerability within the QuantumNous new-api library. This flaw allows attackers to bypass the existing security fix by leveraging 302 redirects, enabling unauthorized access to internal network resources. The vulnerability impacts versions of new-api released before 0.9.6, and a patch is available to address the issue.
The SSRF vulnerability in QuantumNous new-api presents a significant risk, as it allows attackers to initiate requests on behalf of the server, potentially accessing sensitive internal resources that are normally inaccessible from the outside. The bypass mechanism, utilizing 302 redirects, circumvents the intended security restrictions, making exploitation relatively straightforward. An attacker could leverage this to scan the internal network for open ports, access internal APIs, or even interact with internal services, potentially leading to data exfiltration or further compromise. The blast radius extends to any internal resource accessible via HTTP/HTTPS, posing a serious threat to the confidentiality and integrity of the affected environment.
CVE-2025-62155 was publicly disclosed on 2025-11-24. While no active exploitation campaigns have been publicly reported, the availability of a bypass technique and the relatively simple exploitation process suggest a potential for opportunistic attacks. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is available, demonstrating the bypass technique.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-62155 is to immediately upgrade to version 0.9.6 or later of the QuantumNous new-api library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with rules to block suspicious 302 redirects. Additionally, restrict outbound network access from the application server to only necessary destinations. Monitor application logs for unusual outbound requests, particularly those involving redirects. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a 302 redirect and verifying that the request is blocked.
Update to version 0.9.6 or later. This version contains the fix for the SSRF vulnerability. The update will prevent attackers from exploiting the vulnerability using 302 redirects to access the intranet.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-62155 is a HIGH severity SSRF vulnerability in QuantumNous new-api, allowing attackers to bypass existing security measures using 302 redirects to access internal resources.
You are affected if you are using a version of QuantumNous new-api prior to 0.9.6 and are exposed to external requests.
Upgrade to version 0.9.6 or later of QuantumNous new-api. As a temporary workaround, implement WAF rules to block suspicious 302 redirects.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation suggests a potential for opportunistic attacks.
Refer to the QuantumNous project's repository and release notes for the official advisory and details regarding the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.