Plataforma
go
Componente
github.com/quantumnous/new-api
Corregido en
0.9.7
0.9.6
CVE-2025-62155 describes a Server-Side Request Forgery (SSRF) vulnerability within the QuantumNous new-api library. This flaw allows attackers to bypass the existing security fix by leveraging 302 redirects, enabling unauthorized access to internal network resources. The vulnerability impacts versions of new-api released before 0.9.6, and a patch is available to address the issue.
The SSRF vulnerability in QuantumNous new-api presents a significant risk, as it allows attackers to initiate requests on behalf of the server, potentially accessing sensitive internal resources that are normally inaccessible from the outside. The bypass mechanism, utilizing 302 redirects, circumvents the intended security restrictions, making exploitation relatively straightforward. An attacker could leverage this to scan the internal network for open ports, access internal APIs, or even interact with internal services, potentially leading to data exfiltration or further compromise. The blast radius extends to any internal resource accessible via HTTP/HTTPS, posing a serious threat to the confidentiality and integrity of the affected environment.
CVE-2025-62155 was publicly disclosed on 2025-11-24. While no active exploitation campaigns have been publicly reported, the availability of a bypass technique and the relatively simple exploitation process suggest a potential for opportunistic attacks. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is available, demonstrating the bypass technique.
Organizations utilizing the QuantumNous new-api library in their applications, particularly those with internal services accessible via HTTP/HTTPS, are at risk. This includes deployments where the library is used as a dependency in larger projects, potentially impacting a wider range of applications and services.
• linux / server:
journalctl -u new-api -f | grep -i "redirect"• generic web:
curl -I <affected_endpoint> | grep "Location:"disclosure
Estado del Exploit
EPSS
0.04% (13% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-62155 is to immediately upgrade to version 0.9.6 or later of the QuantumNous new-api library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with rules to block suspicious 302 redirects. Additionally, restrict outbound network access from the application server to only necessary destinations. Monitor application logs for unusual outbound requests, particularly those involving redirects. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a 302 redirect and verifying that the request is blocked.
Actualice a la versión 0.9.6 o posterior. Esta versión contiene la corrección para la vulnerabilidad SSRF. La actualización evitará que atacantes exploten la vulnerabilidad mediante redirecciones 302 para acceder a la intranet.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-62155 is a HIGH severity SSRF vulnerability in QuantumNous new-api, allowing attackers to bypass existing security measures using 302 redirects to access internal resources.
You are affected if you are using a version of QuantumNous new-api prior to 0.9.6 and are exposed to external requests.
Upgrade to version 0.9.6 or later of QuantumNous new-api. As a temporary workaround, implement WAF rules to block suspicious 302 redirects.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation suggests a potential for opportunistic attacks.
Refer to the QuantumNous project's repository and release notes for the official advisory and details regarding the fix.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo go.mod y te decimos al instante si estás afectado.