CVE-2025-55573 – QuantumNous new-api v0.8.5.2 contains a Cross-S... (How to Fix)

Q: What is the severity of CVE-2025-55573?

CVE-2025-55573 has a CVSS score of 8.8 (HIGH). QuantumNous new-api v0.8.5.2 contains a Cross-Site Scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. This affects any system running the vulnerable version of the new-api software. Successful exploitation could lead to session hijacking, credential theft, or defacement.

📋 TL;DR

QuantumNous new-api v0.8.5.2 contains a Cross-Site Scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. This affects any system running the vulnerable version of the new-api software. Successful exploitation could lead to session hijacking, credential theft, or defacement.

💻 Affected Systems

Products:

QuantumNous new-api

Versions: v0.8.5.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any deployment using the default configuration is vulnerable.

📦 What is this software?

New Api by Newapi

View all CVEs affecting New Api →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator credentials, gain full system control, and pivot to internal networks.

🟠

Likely Case

Session hijacking leading to unauthorized access to user accounts and data theft.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity once the injection point is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Monitor the official GitHub repository for updates. 2. Apply the patch when available. 3. Test in a non-production environment first.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources.

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to HTTP headers

Enable Input Validation

all

Implement server-side input validation for all user inputs.

Implement input sanitization in application code

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) with XSS protection rules
Disable vulnerable endpoints or restrict access to trusted users only

🔍 How to Verify

Check if Vulnerable:

Check if running QuantumNous new-api version 0.8.5.2 via version endpoint or configuration files.

Check Version:

curl -s http://localhost:port/version | grep version

Verify Fix Applied:

Test XSS payloads against application endpoints to confirm they are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual script tags in request logs
Multiple requests with encoded payloads

Network Indicators:

HTTP requests containing script tags or JavaScript code in parameters

SIEM Query:

source="web_logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2025-55573

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-79

EPSS Score: 0.07% exploit probability (21.3th percentile)

Published: August 22, 2025

Last Updated: September 15, 2025

🔗 References

https://github.com/QuantumNous/new-api Product
https://github.com/zh0u9527/docs/blob/master/new-api-wp.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55573, you might also want to check these: