Platform
python
Component
maxkb
Fixed in
2.3.2
CVE-2025-64511 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in MaxKB, an open-source AI assistant for enterprise. This flaw allows attackers to potentially access internal network services, such as databases, through Python code within the tool module, despite the process operating within a sandbox. The vulnerability impacts versions of MaxKB prior to 2.3.1, and a fix has been released in version 2.3.1.
The SSRF vulnerability in MaxKB allows an attacker to craft malicious requests that originate from the server itself, effectively bypassing security controls. An attacker could leverage this to scan the internal network for exposed services, attempt to access sensitive data stored in internal databases, or even potentially execute commands on internal systems if those services are vulnerable. The sandbox environment provides some mitigation, but it is not a complete defense against SSRF exploitation. Successful exploitation could lead to data breaches, unauthorized access to internal resources, and potentially compromise the entire enterprise network.
This vulnerability was publicly disclosed on 2025-11-13. There are currently no known public proof-of-concept exploits available, but the SSRF nature of the vulnerability makes it likely that exploits will be developed. The EPSS score is currently pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting MaxKB.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-64511 is to immediately upgrade MaxKB to version 2.3.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing strict network segmentation to isolate MaxKB from sensitive internal resources. Additionally, implement a Web Application Firewall (WAF) with SSRF protection rules to filter outbound requests and block malicious URLs. Regularly review and audit the Python code within the tool module to identify and remediate any potential SSRF vulnerabilities.
Update MaxKB to version 2.3.1 or later. This version corrects the SSRF vulnerability that allows access to internal network services. The update will mitigate the risk of unauthorized access to the database and other internal resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64511 is a Server-Side Request Forgery vulnerability in MaxKB versions prior to 2.3.1, allowing attackers to access internal network services through Python code, despite a sandbox.
If you are using MaxKB version 2.3.0 or earlier, you are affected by this SSRF vulnerability and should upgrade immediately.
Upgrade MaxKB to version 2.3.1 or later to resolve the SSRF vulnerability. Consider network segmentation and WAF rules as interim mitigations.
While no public exploits are currently known, the SSRF nature of the vulnerability suggests potential for exploitation. Monitor security advisories and threat intelligence.
Refer to the official MaxKB security advisory for detailed information and updates regarding CVE-2025-64511: [https://maxkb.ai/security/advisories/CVE-2025-64511]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.