CVE-2025-62155: 
Schwachstellenanalyse und -minderung

CVE-2025-62155 is a Server-Side Request Forgery (SSRF) bypass vulnerability affecting the github.com/QuantumNous/new-api package versions 0.9.5 and below. The vulnerability was discovered and published on November 23, 2025, by researcher h3rrr and remediated by Calcium-Ion. This high-severity vulnerability allows attackers to bypass existing SSRF security measures through a 302 redirect mechanism (GitHub Advisory).

The vulnerability exploits a flaw in the security implementation where protection measures only apply to the initial URL request. By utilizing a 302 redirect, attackers can bypass the security restrictions and successfully access internal network resources. The vulnerability has been assigned a CVSS v3.1 score of 8.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N. The weakness is categorized as CWE-918 (Server-Side Request Forgery) (GitHub Advisory).

The vulnerability allows attackers to bypass SSRF security fixes through 302 redirects, potentially enabling unauthorized access to internal network resources. This can lead to high impact on confidentiality and low impact on integrity of the affected systems, while availability remains unaffected (GitHub Advisory).

The vulnerability has been patched in version 0.9.6 of the github.com/QuantumNous/new-api package. Users are advised to upgrade to this version to address the SSRF bypass vulnerability (GitHub Advisory).