Plataforma
other
Componente
new-api
Corregido en
0.9.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in New API, a large language model (LLM) gateway and AI asset management system. This flaw, present in versions prior to 0.9.0.5, allows authenticated users to manipulate the server into making requests to arbitrary URLs. Exploitation can lead to unauthorized access and potential data exposure, impacting the confidentiality and integrity of the system.
The SSRF vulnerability in New API allows an authenticated attacker to craft malicious URLs that the server will then process. This bypasses intended security controls, enabling the attacker to potentially access internal resources, sensitive data, or even interact with other systems behind the firewall. The scope of the attack is limited by the attacker's ability to craft URLs that the server will accept. Successful exploitation could lead to information disclosure, privilege escalation (if internal services are accessible), and potentially even denial-of-service if the attacker can trigger resource exhaustion on the server or target systems. While user registration is often enabled by default, this makes exploitation easier.
This vulnerability was publicly disclosed on 2025-10-09. The CVSS score of 8.5 (HIGH) indicates a significant risk. No public proof-of-concept (PoC) code has been observed at the time of writing, but the SSRF nature of the vulnerability makes it relatively straightforward to exploit. It is not currently listed on the CISA KEV catalog.
Organizations utilizing New API for LLM gateway and AI asset management, particularly those with default user registration enabled, are at risk. Environments with limited network segmentation or exposed internal services are especially vulnerable, as an attacker could leverage the SSRF to access those resources.
• linux / server: Monitor system logs (journalctl) for outbound requests to unexpected or internal IP addresses originating from the New API process. Use ss or lsof to identify connections to unusual ports or hosts.
journalctl -u new-api -f | grep -i 'request to' | grep -v 'localhost'• generic web: Examine access logs for requests to the vulnerable endpoint with unusual or suspicious URLs. Check response headers for unexpected content or error codes.
grep -i 'new-api/vulnerable-endpoint' /var/log/apache2/access.logdisclosure
Estado del Exploit
EPSS
0.04% (11% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-59146 is to immediately upgrade New API to version 0.9.0.5 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as strict URL validation on the server-side, restricting access to the vulnerable endpoint, and implementing a Web Application Firewall (WAF) with rules to block suspicious URL patterns. Monitor access logs for unusual outbound requests originating from the New API server.
Actualice a la versión 0.9.0.5 o posterior. Si no puede actualizar de inmediato, habilite el procesador de imágenes new-api (new-api-worker) y/o configure reglas de firewall de salida para mitigar la vulnerabilidad SSRF.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-59146 is a HIGH severity SSRF vulnerability affecting New API versions prior to 0.9.0.5, allowing authenticated users to make unauthorized server-side requests.
You are affected if you are using New API version 0.9.0.5 or earlier. Verify your version and upgrade immediately.
Upgrade New API to version 0.9.0.5 or later. As a temporary workaround, implement strict URL validation and WAF rules.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability makes it easily exploitable, and exploitation is possible.
Refer to the official New API security advisory for detailed information and updates: [Placeholder - Insert Link to Advisory Here]
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.