CVE-2025-12488
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-12488, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-06

Last updated on: 2025-11-12

Assigner: Zero Day Initiative

Description

oobabooga text-generation-webui trust_remote_code Reliance on Untrusted Inputs Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of oobabooga text-generation-webui. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the trust_remote_code parameter provided to the load endpoint. The issue results from the lack of proper validation of a user-supplied argument before using it to load a model. An attacker can leverage this vulnerability to execute code in the context of the service account. . Was ZDI-CAN-26680.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-06
Last Modified
2025-11-12
Generated
2026-07-06
AI Q&A
2025-11-06
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
oobabooga text-generation-webui 3.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the oobabooga text-generation-webui application, specifically in the handling of the trust_remote_code parameter at the load endpoint. The application does not properly validate this user-supplied parameter before using it to load a model. As a result, a remote attacker can exploit this flaw to execute arbitrary code on the affected system without needing authentication.

Impact Analysis

An attacker can remotely execute arbitrary code on the affected system with the privileges of the service account running the application. This can lead to full compromise of the system, including data theft, system manipulation, or further attacks within the network. Since no authentication is required, the risk of exploitation is high.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12488. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart