CVE-2025-62155
BaseFortify
Publication date: 2025-11-25
Last updated on: 2025-11-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| new_api | large_language_model_gateway | 0.9.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Server-Side Request Forgery (SSRF) issue in the New API large language model gateway and AI asset management system. Although a fix was applied, it only restricted the first URL request. An attacker can exploit a 302 redirect to bypass these restrictions and make the system access internal network resources that should be protected. This vulnerability was patched in version 0.9.6.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass security controls and access internal network resources through SSRF attacks. This could lead to unauthorized access to sensitive internal systems or data, potentially compromising confidentiality and integrity within the affected environment.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the New API large language model gateway and AI asset management system to version 0.9.6 or later, as this version contains the patch that fixes the SSRF vulnerability including the bypass method involving 302 redirects.