Authenticated Server-Side Request Forgery in New API Asset Management System
CVE-2025-59146

8.5HIGH

Key Information:

Vendor: Quantumnous
Status: New-api
Vendor: CVE Published:; 9 October 2025

🔔 Create Quantumnous Vulnerability Alert

What is CVE-2025-59146?

An authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the New API asset management system, potentially allowing attackers to manipulate server requests by providing malicious URLs. Users with registered accounts can exploit this flaw due to insufficient validation of user-supplied URLs in the application. The vulnerability permits an attacker to direct the server to send requests to arbitrary internal or external services, which could result in data exposure or further attacks. A patch has been introduced in version 0.9.0.5 to enhance security with an SSRF protection module that is user-configurable and enabled by default. Additionally, temporary mitigation options are accessible for those who cannot upgrade immediately, including enabling the new-api image processing worker and adjusting egress firewall settings.

Affected Version(s)

new-api < 0.9.0.5

References

https://github.com/QuantumNous/new-api/security/advisorie...

x_refsource_CONFIRM

https://github.com/QuantumNous/new-api/commit/ef634160986...

x_refsource_MISC

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 9, 2025
Vulnerability Reserved
Sep 9, 2025

JSON