CVE-2025-62364 (CNNVD-202510-1647)
中文标题:
Text Generation Web UI 后置链接漏洞
英文标题:
text-generation-webui allows arbitrary file read via symbolic link upload
漏洞描述
中文描述:
Text Generation Web UI是oobabooga个人开发者的一个本地AI的UI界面。 Text Generation Web UI 3.13及之前版本存在后置链接漏洞,该漏洞源于字符图片上传功能存在本地文件包含漏洞,可能导致读取服务器敏感文件。
英文描述:
text-generation-webui is an open-source web interface for running Large Language Models. In versions through 3.13, a Local File Inclusion vulnerability exists in the character picture upload feature. An attacker can upload a text file containing a symbolic link to an arbitrary file path. When the application processes the upload, it follows the symbolic link and serves the contents of the targeted file through the web interface. This allows an unauthenticated attacker to read sensitive files on the server, potentially exposing system configurations, credentials, and other confidential information. This vulnerability is fixed in 3.14. No known workarounds exist.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| oobabooga | text-generation-webui | <= 3.13 | - | - |
cpe:2.3:a:oobabooga:text-generation-webui:<=_3.13:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (cna)
MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-62364 |
2025-11-11 15:23:33 | 2025-11-11 07:40:48 |
| NVD | nvd_CVE-2025-62364 |
2025-11-11 15:01:05 | 2025-11-11 07:48:35 |
| CNNVD | cnnvd_CNNVD-202510-1647 |
2025-11-11 15:12:59 | 2025-11-11 08:00:16 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 后置链接
- cnnvd_id: 未提取 -> CNNVD-202510-1647
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']