x/vulndb: potential Go vuln in github.com/QuantumNous/new-api: GHSA-9f46-w24h-69w4 #4154
Description
Advisory GHSA-9f46-w24h-69w4 references a vulnerability in the following Go modules:
| Module |
|---|
| one-api |
Description:
Summary
A recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur.
Because the existing fix only applies security restrictions to the first URL request, a 302 redirect can bypass existing security measures and successfully access the intranet.
Details
Use the following script to deploy on the attacker's server. Since ports 80, 443, and 8080 are default ports within the security range set by the administrator and will not be blocked, the service is deployed on port 8080.
from flask import Flask, redirect ...
References:
- ADVISORY: https://github.com/QuantumNous/new-api/security/advisories/GHSA-9f46-w24h-69w4
- ADVISORY: https://github.com/advisories/GHSA-9f46-w24h-69w4
- FIX: https://github.com/QuantumNous/new-api/commit/e8966c73746d35bb7f4f014ad1195a96d445cacd
No existing reports found with this module or alias.
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: one-api
non_go_versions:
- fixed: 0.9.6
summary: new-api is vulnerable to SSRF Bypass in one-api
cves:
- CVE-2025-62155
ghsas:
- GHSA-9f46-w24h-69w4
references:
- advisory: GHSA-9f46-w24h-69w4
- advisory: GHSA-9f46-w24h-69w4
- fix: QuantumNous/new-api@e8966c7
notes:
- fix: 'one-api: could not add vulnerable_at: module one-api not known to proxy'
source:
id: GHSA-9f46-w24h-69w4
created: 2025-11-24T21:01:32.66220005Z
review_status: UNREVIEWED