CVE-2025-62155
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) bypass vulnerability in New API (an LLM gateway and AI asset management system). Attackers can exploit this by using HTTP 302 redirects to bypass security restrictions and access internal network resources. Organizations using New API versions before 0.9.6 are affected.
💻 Affected Systems
- New API (LLM gateway and AI asset management system)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of internal network services, data exfiltration, lateral movement to critical systems, and potential ransomware deployment.
Likely Case
Unauthorized access to internal APIs, metadata services, cloud instance metadata, and internal web applications leading to data leakage.
If Mitigated
Limited to reconnaissance of internal network structure and potential denial of service against internal services.
🎯 Exploit Status
SSRF bypass via 302 redirects is a well-known technique requiring minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.9.6
Vendor Advisory: https://github.com/QuantumNous/new-api/security/advisories/GHSA-9f46-w24h-69w4
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Stop New API service. 3. Update to version 0.9.6 using your package manager or manual installation. 4. Restart New API service. 5. Verify functionality.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict outbound network access from New API instances to only necessary external services.
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
Web Application Firewall Rules
allBlock requests containing redirect URLs or suspicious patterns in request parameters.
🧯 If You Can't Patch
- Implement strict network egress filtering to prevent New API from accessing internal network ranges.
- Deploy New API in a DMZ or isolated network segment with no access to internal resources.
🔍 How to Verify
Check if Vulnerable:
Check New API version via admin interface or configuration files. If version is below 0.9.6, system is vulnerable.Check Version:
curl -s http://localhost:8000/version | grep versionVerify Fix Applied:
After updating to 0.9.6, test SSRF attempts with 302 redirects should be blocked. Review logs for successful blocks.📡 Detection & Monitoring
Log Indicators:
- Multiple HTTP 302 redirect responses from external domains
- Outbound requests to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
- Unusual request patterns to New API endpoints with URL parameters
Network Indicators:
- Unexpected outbound connections from New API server to internal services
- HTTP traffic to internal IP addresses from New API
SIEM Query:
source="new-api.log" AND (http_status=302 OR dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16))