CVE 8.5 HIGH

QuantumNous New API Has SSRF Bypass_CVE-2025-62155

November 24, 2025 invoker category_cve

8.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Description

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.9.6, a recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur.
Because the existing fix only applies security restrictions to the first URL request, a 302 redirect can bypass existing security measures and successfully access the intranet. This issue has been patched in version 0.9.6.

AI Analysis

SSRF vulnerability bypass in New API prior to version 0.9.6

Basic Information

ID CVE-2025-62155

Source GitHub_M

Published Nov 24, 2025 at 23:56

Affected Product

Vendor QuantumNous

Product new-api

Version < 0.9.6

Affected Versions QuantumNous new-api < 0.9.6

CWE Classification

CWE-918

AI Assessment

AI Score 8.5 / 10

AI Severity High

Vendor QuantumNous

Product New API

Version < 0.9.6

References

github.com /QuantumNous/new-api/security/advisories/GHSA-9f46-w24h-69w4

{
    "lastseen": "",
    "description": "New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.9.6, a recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur.\nBecause the existing fix only applies security restrictions to the first URL request, a 302 redirect can bypass existing security measures and successfully access the intranet. This issue has been patched in version 0.9.6.",
    "published": "2025-11-24T23:56:52.293Z",
    "modified": "2025-11-24T23:56:52.293Z",
    "type": "cve",
    "title": "QuantumNous New API Has SSRF Bypass",
    "source": "GitHub_M",
    "references": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-9f46-w24h-69w4",
    "id": "CVE-2025-62155",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "QuantumNous new-api < 0.9.6",
    "sourceHref": "",
    "cvss": {
        "score": 8.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "new-api",
    "version": "< 0.9.6",
    "vendor": "QuantumNous",
    "ai_description": "SSRF vulnerability bypass in New API prior to version 0.9.6",
    "ai_severity": "High",
    "ai_vendor": "QuantumNous",
    "ai_product": "New API",
    "ai_version": "< 0.9.6",
    "ai_score": 8.5
}

💭 Join the Security Discussion ❌ Cancel Reply