CVE-2025-64511 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918, affecting MaxKB, an open-source AI assistant designed for enterprise use by 1Panel-dev. The vulnerability exists in versions prior to 2.3.1, where authenticated users with low privileges can execute Python code within a sandboxed environment in the tool module. Despite sandboxing, the flaw allows these users to craft requests that access internal network services, such as databases, which should normally be inaccessible externally. This SSRF vector arises because the sandbox does not sufficiently restrict network requests or isolate the execution environment from internal resources. The vulnerability has a CVSS 3.1 score of 7.4, indicating high severity, with an attack vector of network (remote), low attack complexity, requiring low privileges but no user interaction, and impacting confidentiality, integrity, and availability. The scope is changed as internal services can be accessed or manipulated. Although no known exploits are reported in the wild, the potential for lateral movement and data exfiltration within enterprise networks is significant. The issue was resolved in MaxKB version 2.3.1 by enhancing sandbox restrictions and network access controls within the tool module. Organizations using vulnerable versions should prioritize patching to prevent exploitation.

For European organizations, this vulnerability poses a serious risk to internal network security, especially for enterprises relying on MaxKB for AI-driven assistance integrated with sensitive internal systems. Exploitation could allow attackers to bypass network segmentation, access confidential databases, and potentially manipulate or disrupt internal services, leading to data breaches, operational disruption, and compliance violations under regulations like GDPR. The ability to execute Python code remotely within a sandboxed environment increases the risk of lateral movement and privilege escalation within corporate networks. Sectors such as finance, healthcare, and critical infrastructure, which often deploy AI tools and maintain strict internal network controls, are particularly vulnerable. The compromise of internal services could also affect supply chain partners and interconnected systems, amplifying the impact. Given the high severity and ease of exploitation with low privileges, organizations must act swiftly to mitigate risks.

1. Upgrade MaxKB to version 2.3.1 or later immediately to apply the official fix that strengthens sandbox restrictions and network access controls. 2. Restrict access to the tool module by enforcing strict authentication and authorization policies, limiting usage to trusted personnel only. 3. Implement network segmentation and firewall rules to isolate critical internal services and databases from the AI assistant’s execution environment, minimizing exposure even if SSRF attempts occur. 4. Monitor logs and network traffic for unusual internal requests originating from MaxKB instances, focusing on unexpected database queries or internal service access. 5. Conduct regular security assessments and penetration tests simulating SSRF attacks to validate the effectiveness of sandboxing and network controls. 6. Educate developers and administrators on secure coding and deployment practices for AI assistants, emphasizing the risks of executing user-supplied code. 7. Consider deploying runtime application self-protection (RASP) or web application firewalls (WAF) with SSRF detection capabilities to provide an additional defensive layer.