CVE-2025-59146

Name of the Vulnerable Software and Affected Versions New API versions prior to 0.9.0.5

Description New API is a large language model (LLM) gateway and artificial intelligence (AI) asset management system. An authenticated Server-Side Request Forgery (SSRF) issue exists because the application does not properly validate user-supplied URLs before making server-side requests. This allows authenticated users to submit a URL to a vulnerable endpoint, potentially coercing the server to send requests to arbitrary internal or external services. Server-Side Request Forgery (SSRF) occurs when an application makes requests to an unintended location. The vulnerability is not limited to image URLs and can be triggered with any link provided to the vulnerable endpoint.

Recommendations Update to version 0.9.0.5 or later to benefit from the new user-configurable SSRF protection module. As a temporary workaround, enable the new-api image processing worker (new-api-worker). As a temporary workaround, configure egress firewall rules.