CVE-2025-59146
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-09

Last updated on: 2025-10-14

Assigner: GitHub, Inc.

Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. An authenticated Server-Side Request Forgery (SSRF) vulnerability exists in versions prior to 0.9.0.5. A feature within the application allows authenticated users to submit a URL for the server to process its content. The application fails to properly validate this user-supplied URL before making a server-side request. This vulnerability is not limited to image URLs and can be triggered with any link provided to the vulnerable endpoint. Since user registration is often enabled by default, any registered user can exploit this. By crafting a malicious URL, an attacker can coerce the server to send requests to arbitrary internal or external services. The vulnerability has been patched in version 0.9.0.5. The patch introduces a comprehensive, user-configurable SSRF protection module, which is enabled by default to protect server security. This new feature provides administrators with granular control over outbound requests made by the server. For users who cannot upgrade immediately, some temporary mitigation options are available. Enable new-api image processing worker (new-api-worker) and/or configure egress firewall rules.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-09
Last Modified
2025-10-14
Generated
2026-05-07
AI Q&A
2025-10-09
EPSS Evaluated
2026-05-05
NVD
CVE-2025-59146
EUVD
EUVD-2025-33585
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
quantumnous new-api 0.9.0.4
quantumnous new-api 0.9.0.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an authenticated Server-Side Request Forgery (SSRF) in the New API system, which is a large language model gateway and AI asset management system. Authenticated users can submit a URL for the server to process, but the application does not properly validate these URLs before making server-side requests. This allows an attacker to craft malicious URLs that cause the server to send requests to arbitrary internal or external services, potentially exposing sensitive information or enabling further attacks. The vulnerability affects versions prior to 0.9.0.5 and has been patched in that version by adding a user-configurable SSRF protection module.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker with authenticated access to coerce the server into making requests to arbitrary internal or external services. This can lead to unauthorized access to internal resources, data leakage, or interaction with unintended services. Since the vulnerability allows high-impact confidentiality breaches (as indicated by the CVSS score), it can compromise sensitive data and potentially facilitate further attacks within the network.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, you should upgrade to version 0.9.0.5 or later where the vulnerability is patched. If upgrading is not possible right away, enable the new-api image processing worker (new-api-worker) and/or configure egress firewall rules to restrict outbound requests from the server.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart