CVE-2025-12488 is a critical security vulnerability identified in version 2.5 of the oobabooga text-generation-webui, an open-source interface for AI text generation models. The flaw is categorized under CWE-807, indicating reliance on untrusted inputs in a security decision. Specifically, the vulnerability exists in the handling of the 'trust_remote_code' parameter at the load endpoint, where user-supplied input is not properly validated before being used to load external models. This lack of validation allows an unauthenticated remote attacker to supply malicious code that the system will execute in the context of the service account running the web UI. The vulnerability is remotely exploitable without any authentication or user interaction, making it highly dangerous. The CVSS v3.0 base score of 9.8 reflects the ease of exploitation (network vector, no privileges required, no user interaction) and the severe impact on confidentiality, integrity, and availability. Exploitation could lead to full system compromise, data theft, manipulation, or denial of service. The vulnerability was published on November 6, 2025, and was initially reserved by ZDI as ZDI-CAN-26680. No patches or fixes have been released at the time of this report, and no active exploits have been observed in the wild. The attack surface includes any deployment of oobabooga text-generation-webui version 2.5 exposed to untrusted networks, particularly those that enable the trust_remote_code feature to load external models dynamically.

For European organizations, this vulnerability poses a critical risk, especially for those leveraging AI text-generation services in production or research environments. Successful exploitation can lead to complete system takeover, allowing attackers to exfiltrate sensitive data, manipulate AI model outputs, or disrupt services. This can result in loss of intellectual property, violation of data protection regulations such as GDPR, reputational damage, and operational downtime. Organizations in sectors like finance, healthcare, government, and critical infrastructure that adopt AI technologies are particularly vulnerable. The unauthenticated nature of the exploit increases the likelihood of attacks originating from external threat actors, including cybercriminals and nation-state actors. Additionally, the lack of available patches means organizations must rely on compensating controls, increasing operational complexity and risk. The potential for cascading effects exists if compromised systems are integrated into larger networks or cloud environments, amplifying the threat impact.

1. Immediately restrict network access to the oobabooga text-generation-webui load endpoint, ideally by placing it behind a firewall or VPN accessible only to trusted users. 2. Disable or avoid using the 'trust_remote_code' parameter until a secure patch is released. If dynamic model loading is necessary, implement strict validation and whitelisting of trusted models and sources. 3. Monitor logs and network traffic for unusual requests targeting the load endpoint or attempts to exploit the trust_remote_code parameter. 4. Employ application-layer security controls such as Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads. 5. Isolate the service account running the web UI with minimal privileges and consider running the application in a sandboxed or containerized environment to limit the blast radius of potential exploitation. 6. Stay updated with vendor advisories and apply patches promptly once available. 7. Conduct security awareness training for administrators managing AI infrastructure to recognize and respond to exploitation attempts. 8. Consider implementing network segmentation to separate AI services from critical enterprise systems.