CVE-2025-62155 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918, affecting QuantumNous new-api, an AI asset management and large language model gateway system. The vulnerability exists in versions prior to 0.9.6 due to an incomplete security fix that only applies restrictions to the initial URL request. Attackers can exploit this by leveraging HTTP 302 redirects to bypass the security controls, causing the server to make unauthorized requests to internal or otherwise restricted network resources. This can lead to unauthorized access to intranet services, potentially exposing sensitive data or enabling further internal attacks. The vulnerability requires low privileges (PR:L) but no user interaction (UI:N), and the attack vector is network-based (AV:N). The impact on confidentiality is high, as attackers can access internal endpoints, while integrity impact is low and availability is unaffected. The vulnerability has been publicly disclosed with a CVSS 3.1 score of 8.5, indicating a high severity level. Although no known exploits are currently reported in the wild, the nature of SSRF and the bypass of existing fixes make this a critical issue for affected deployments. The patch released in version 0.9.6 addresses the redirect bypass by enforcing security restrictions on redirected requests as well.

For European organizations, this SSRF vulnerability poses a significant risk to the confidentiality of internal systems and data. Organizations using QuantumNous new-api in sectors such as finance, healthcare, government, and critical infrastructure could face unauthorized exposure of sensitive internal services, potentially leading to data breaches or lateral movement within networks. The ability to bypass existing security fixes via redirects increases the likelihood of exploitation, especially in environments where network segmentation or internal access controls are insufficient. Given the AI asset management context, attackers might also gain access to proprietary AI models or sensitive operational data. The vulnerability does not directly impact system availability or integrity but can serve as a foothold for further attacks. The lack of required user interaction and the network-based attack vector mean that attackers can exploit this remotely once they have low-level access, increasing the threat surface. European organizations with complex internal networks and reliance on QuantumNous products should consider this vulnerability a high priority for remediation.

1. Upgrade QuantumNous new-api to version 0.9.6 or later immediately to apply the official patch that fixes the redirect bypass in SSRF protections. 2. Implement strict network segmentation and firewall rules to limit the new-api server's ability to make outbound requests to sensitive internal resources, minimizing the impact of potential SSRF exploitation. 3. Deploy web application firewalls (WAFs) with rules specifically designed to detect and block SSRF attempts, including those involving HTTP redirects. 4. Monitor logs for unusual outbound HTTP requests from the new-api server, especially those involving redirects or requests to internal IP ranges. 5. Conduct internal penetration testing focusing on SSRF vectors and redirect handling to validate the effectiveness of applied mitigations. 6. Restrict privileges of the new-api service account to the minimum necessary, reducing the potential impact if exploited. 7. Educate development and security teams about SSRF risks and ensure secure coding practices are followed for any future API gateway or AI asset management system development.