CVE-2025-12488

Name of the Vulnerable Software and Affected Versions oobabooga text-generation-webui versions prior to 2.5

Description The software is susceptible to a remote code execution issue stemming from insufficient validation of user-supplied input. Specifically, the trust remote code parameter within the load endpoint is not properly validated before being used to load a model. This allows attackers to execute code in the context of the service account without authentication. The vulnerable parameter is trust remote code. The affected API endpoint is /load.

Recommendations Disable the trust remote code functionality. Restrict access to the /load API endpoint.