{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/quantumnous/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.5,"id":"CVE-2025-59146"},{"cvss":8.5,"id":"CVE-2025-62155"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["new-api (\u003c= 0.11.9-alpha.1)"],"_cs_severities":["high"],"_cs_tags":["ssrf","vulnerability","quantumnous"],"_cs_type":"advisory","_cs_vendors":["QuantumNous"],"content_html":"\u003cp\u003eThe QuantumNous new-api is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability due to an incomplete fix for previous SSRF issues (CVE-2025-59146, CVE-2025-62155). The vulnerability exists in versions up to 0.11.9-alpha.1. The SSRF protection implemented in v0.9.0.5 and hardened in v0.9.6 fails to block the address \u003ccode\u003e0.0.0.0\u003c/code\u003e, which resolves to localhost on Linux systems. An authenticated, regular user with any valid API token can exploit this by sending a request to specific endpoints such as \u003ccode\u003e/v1/chat/completions\u003c/code\u003e including \u003ccode\u003e0.0.0.0\u003c/code\u003e in the URL of an image or file. If the request is routed through an AWS/Bedrock Claude adaptor, this can be upgraded to a full-read SSRF where the fetched content is inlined into the model response, allowing for exfiltration of internal content.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains a valid API token for a regular user account on the QuantumNous new-api.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to \u003ccode\u003e/v1/chat/completions\u003c/code\u003e with a JSON payload that includes a malicious \u003ccode\u003eimage_url\u003c/code\u003e with the host set to \u003ccode\u003e0.0.0.0\u003c/code\u003e and a port in the allowed list (80, 443, 8080, 8443). For example: \u003ccode\u003e\u0026quot;url\u0026quot;: \u0026quot;http://0.0.0.0:8080/probe.png\u0026quot;\u003c/code\u003e. The \u003ccode\u003estream: true\u003c/code\u003e parameter is also set to trigger the fetch path.\u003c/li\u003e\n\u003cli\u003eThe server-side code at \u003ccode\u003edto/openai_request.go\u003c/code\u003e recognizes the \u003ccode\u003ehttp(s)://\u003c/code\u003e URL as a valid source and proceeds to collect metadata.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eLoadFileSource()\u003c/code\u003e function at \u003ccode\u003eservice/token_counter.go\u003c/code\u003e determines that the file needs to be fetched based on the \u003ccode\u003eshouldFetchFiles\u003c/code\u003e setting.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eloadFromURL()\u003c/code\u003e function within \u003ccode\u003eservice/file_service.go\u003c/code\u003e calls \u003ccode\u003eDoDownloadRequest()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eValidateURLWithFetchSetting()\u003c/code\u003e function at \u003ccode\u003eservice/download.go\u003c/code\u003e incorrectly validates the URL, as \u003ccode\u003e0.0.0.0\u003c/code\u003e is not blocked by the IP filter.\u003c/li\u003e\n\u003cli\u003eThe server initiates a TCP connection to \u003ccode\u003e0.0.0.0\u003c/code\u003e on the specified port.\u003c/li\u003e\n\u003cli\u003eIf the request is routed through an AWS/Bedrock Claude channel, the fetched content from \u003ccode\u003e0.0.0.0\u003c/code\u003e is then inlined into the model request and leaked through the model\u0026rsquo;s response (full-read SSRF). Otherwise, an attacker can probe internal services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAn attacker with a valid user API token can exploit this SSRF vulnerability to probe internal services and potentially exfiltrate sensitive information. By bypassing the intended SSRF protections, the attacker can access resources on the localhost that should not be exposed. If the request is processed by a multimodal model like Claude via AWS/Bedrock, the fetched content can be directly leaked through the model\u0026rsquo;s output, leading to full-read SSRF. The vulnerability can be exploited by any registered user since user registration is often enabled by default.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply a patch that adds \u003ccode\u003e0.0.0.0/8\u003c/code\u003e to the deny list in \u003ccode\u003eisPrivateIP()\u003c/code\u003e as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect QuantumNous new-api SSRF Attempt via 0.0.0.0\u0026rdquo; to detect attempts to exploit this vulnerability by monitoring network connections to 0.0.0.0.\u003c/li\u003e\n\u003cli\u003eBlock the URLs \u003ccode\u003ehttp://0.0.0.0:8080/probe.png\u003c/code\u003e and \u003ccode\u003ehttps://dummyimage.com/600x180/111/fff.png\u0026amp;text=READBACK-OK-314159\u003c/code\u003e at the network perimeter to prevent exploitation.\u003c/li\u003e\n\u003cli\u003eUpgrade to a version of the QuantumNous new-api that includes a fix for CVE-2026-42339.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T12:00:00Z","date_published":"2026-05-07T12:00:00Z","id":"/briefs/2026-05-quantum-nous-ssrf/","summary":"The QuantumNous new-api is vulnerable to SSRF attacks. The SSRF protection implemented in versions v0.9.0.5 (CVE-2025-59146) and v0.9.6 (CVE-2025-62155) can be bypassed by using the address `0.0.0.0`. An attacker with a valid API token can send a request to `/v1/chat/completions`, `/v1/responses`, or `/v1/messages` with `0.0.0.0` as the image/file URL host, which bypasses the private-IP filter and allows the server to issue HTTP requests to localhost, enabling a blind SSRF and possibly a full-read SSRF in specific configurations.","title":"QuantumNous new-api SSRF Bypass via 0.0.0.0","url":"https://feed.craftedsignal.io/briefs/2026-05-quantum-nous-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Quantumnous","version":"https://jsonfeed.org/version/1.1"}