CVE-2025-14116 is a Server-Side Request Forgery (SSRF) vulnerability identified in the open-source project xerrors Yuxi-Know, specifically affecting versions 0.1 through 0.4.0. The vulnerability exists in the function OtherEmbedding.aencode located in the file /src/models/embed.py. The flaw stems from insufficient validation and sanitization of the health_url argument, which an attacker can manipulate to induce the server to make arbitrary HTTP requests. This SSRF can be exploited remotely without user interaction but requires the attacker to have high privileges (PR:H) on the system, indicating that some level of authentication or elevated access is necessary to trigger the vulnerability. The impact on confidentiality, integrity, and availability is limited (VC:L, VI:L, VA:L), suggesting that while the attacker can coerce the server to send requests, the potential damage is somewhat constrained. The vendor has acknowledged the vulnerability and responded by disabling URL parsing, disabling URL upload modes, and removing URL-to-markdown conversion features to reduce attack surface. A patch identified by commit 0ff771dc1933d5a6b78f804115e78a7d8625c3f3 is available and recommended for deployment. Although no known exploits are currently in the wild, the public availability of the exploit code increases the risk of future attacks. The vulnerability has a CVSS 4.0 base score of 5.1, categorized as medium severity, reflecting moderate risk due to ease of exploitation and potential impact.

For European organizations, the SSRF vulnerability in xerrors Yuxi-Know could lead to unauthorized internal network scanning, access to internal services, or exploitation of trust relationships within the network. This can facilitate lateral movement, data exfiltration, or further compromise of internal systems. Organizations using affected versions in critical infrastructure, research, or data-sensitive environments may face increased risk of information leakage or disruption. The requirement for high privileges to exploit limits the threat to insiders or attackers who have already gained elevated access, but the public availability of the exploit code increases the risk of privilege escalation chains. Given the medium severity, the impact is moderate but should not be underestimated, especially in sectors with stringent data protection regulations such as GDPR. Failure to patch could expose organizations to compliance risks and potential reputational damage if internal resources are compromised via SSRF.

European organizations should immediately identify and inventory all deployments of xerrors Yuxi-Know versions 0.1 through 0.4.0. The primary mitigation is to apply the vendor-provided patch (commit 0ff771dc1933d5a6b78f804115e78a7d8625c3f3) to eliminate the vulnerability. In addition, organizations should: 1) Restrict and monitor internal network access to limit SSRF exploitation impact; 2) Implement strict input validation and sanitization on any user-controllable parameters, especially URLs; 3) Employ network segmentation to isolate critical services from application servers; 4) Use web application firewalls (WAFs) with SSRF detection rules to detect and block suspicious outbound requests; 5) Conduct regular privilege audits to minimize the number of users with high-level access; 6) Monitor logs for unusual outbound requests or access patterns indicative of SSRF attempts; 7) Disable unnecessary URL parsing or upload features if not required; and 8) Educate developers and administrators about SSRF risks and secure coding practices to prevent similar vulnerabilities in future releases.