Overview
CVE-2025-62155 is a high-severity Server-Side Request Forgery (SSRF) vulnerability affecting the New API LLM gateway and AI asset management system. This vulnerability exists prior to version 0.9.6 and allows attackers to bypass existing security measures implemented to prevent SSRF attacks. The bypass leverages a 302 redirect to circumvent the initial security checks, ultimately enabling unauthorized access to internal resources.
Technical Details
The initial SSRF fix implemented in New API applied security restrictions only to the first URL request. By crafting a request that initially points to an external server controlled by the attacker, and then redirects (using a 302 HTTP redirect) to an internal resource, the attacker can bypass the security checks. Since the security checks are only performed on the *initial* request, the redirected request is not subjected to the same scrutiny, allowing the attacker to access internal systems that should be protected. For example:
Attacker Request: `https://vulnerable-new-api.example.com/api?url=https://attacker.com/redirect.php`
redirect.php (on attacker.com):
<?php
header("Location: http://internal-service.example.com/sensitive-data");
exit();
?>
In this scenario, the New API server fetches `https://attacker.com/redirect.php`, which then issues a 302 redirect to `http://internal-service.example.com/sensitive-data`. The security check only examines `https://attacker.com/redirect.php`, and because it’s an external, allowed domain (in a naive implementation), the request proceeds, leading to the SSRF vulnerability being exploited.
CVSS Analysis
This vulnerability has been assigned a CVSS score of 8.5, indicating a high severity level. The CVSS vector provides further insight into the characteristics of the vulnerability. While the full vector isn’t provided in the prompt, a score of 8.5 usually indicates network-based exploitation, low attack complexity, no required privileges, no user interaction, and a significant impact on confidentiality, integrity, and availability.
Possible Impact
The successful exploitation of this SSRF vulnerability can have severe consequences, including:
- Data Leakage: Access to sensitive internal data, such as configuration files, database credentials, and proprietary code.
- Internal Network Scanning: The ability to scan the internal network for open ports and services, potentially identifying further vulnerabilities.
- Remote Code Execution: In certain scenarios, SSRF can be chained with other vulnerabilities to achieve remote code execution on internal systems.
- Denial of Service: Accessing services in a way that exhausts their resources and renders them unavailable.
Mitigation or Patch Steps
The vulnerability has been patched in version 0.9.6 of the New API. Users are strongly advised to upgrade to version 0.9.6 or later immediately to mitigate the risk of exploitation. Beyond upgrading, consider the following security best practices:
- Input Validation: Implement robust input validation to ensure that URLs are properly formatted and conform to expected patterns.
- URL Whitelisting: Create a strict whitelist of allowed external domains that the API is permitted to access.
- Redirection Prevention: Disable or carefully control HTTP redirects. If redirects are necessary, validate the final destination URL *after* the redirect occurs.
- Network Segmentation: Segment the network to isolate critical internal services from the external-facing API gateway.
- Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities proactively.
