CVE-2025-12488
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-06

Last updated on: 2025-11-12

Assigner: Zero Day Initiative

Description
oobabooga text-generation-webui trust_remote_code Reliance on Untrusted Inputs Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of oobabooga text-generation-webui. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the trust_remote_code parameter provided to the load endpoint. The issue results from the lack of proper validation of a user-supplied argument before using it to load a model. An attacker can leverage this vulnerability to execute code in the context of the service account. . Was ZDI-CAN-26680.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-06
Last Modified
2025-11-12
Generated
2026-06-16
AI Q&A
2025-11-06
EPSS Evaluated
2026-06-14
NVD
CVE-2025-12488
EUVD
EUVD-2025-38157
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oobabooga text-generation-webui 3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the oobabooga text-generation-webui application, specifically in the handling of the trust_remote_code parameter at the load endpoint. The application does not properly validate this user-supplied parameter before using it to load a model. As a result, a remote attacker can exploit this flaw to execute arbitrary code on the affected system without needing authentication.

Impact Analysis

An attacker can remotely execute arbitrary code on the affected system with the privileges of the service account running the application. This can lead to full compromise of the system, including data theft, system manipulation, or further attacks within the network. Since no authentication is required, the risk of exploitation is high.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12488. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart