{"id":69782,"date":"2025-09-01T03:15:51","date_gmt":"2025-09-01T03:15:51","guid":{"rendered":""},"modified":"2025-10-04T00:32:21","modified_gmt":"2025-10-04T06:32:21","slug":"cve-2025-55573-cross-site-scripting-vulnerability-in-quantumnous-new-api-v-0-8-5-2","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-55573-cross-site-scripting-vulnerability-in-quantumnous-new-api-v-0-8-5-2\/","title":{"rendered":"<strong>CVE-2025-55573: Cross-Site Scripting Vulnerability in QuantumNous new-api v.0.8.5.2<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>CVE-2025-55573 is a critical vulnerability identified in QuantumNous new-api v.0.8.5.2, a widely used API in various web applications. This vulnerability, classed as Cross Site Scripting (XSS), has a potential to compromise system security and cause data leakage. The importance of addressing this vulnerability promptly and efficiently cannot be overstated, given the potential for significant damage to the integrity, availability, and confidentiality of the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-54788-sql-injection-vulnerability-in-suitecrm-leading-to-potential-system-compromise-or-data-leakage\/\"  data-wpil-monitor-id=\"80213\">system and its data<\/a>.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2025-55573<br \/>\nSeverity: High (8.8 CVSS Score)<br \/>\nAttack Vector: Network<br \/>\nPrivileges Required: None<br \/>\nUser Interaction: Required<br \/>\nImpact: <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-42950-sap-landscape-transformation-vulnerability-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"77560\">System compromise and potential<\/a> data leakage<\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-1176257472\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<p>Product | Affected Versions<\/p>\n<p>QuantumNous new-api | v.0.8.5.2<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>The exploit takes advantage of an XSS <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-28906-command-injection-vulnerability-in-mib3-infotainment\/\"  data-wpil-monitor-id=\"77426\">vulnerability that allows the attacker to inject<\/a> malicious scripts into web pages viewed by other users. These scripts can bypass the same-origin policy, a fundamental web security mechanism, and execute on the client side, <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-8939-buffer-overflow-vulnerability-in-tenda-ac20-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"78295\">leading to a multitude of potential<\/a> attacks such as stealing session cookies, performing actions on behalf of the user, or even delivering malware.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-2944517332\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>Below is a conceptual example of how the vulnerability might be exploited. The attacker sends a crafted HTTP request with a malicious JavaScript payload that gets <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-41683-authenticated-remote-code-execution-vulnerability-in-main-web-interface\/\"  data-wpil-monitor-id=\"78952\">executed when a user visits the affected web<\/a> page.<\/p>\n<pre><code class=\"\" data-line=\"\">POST \/api\/v0.8.5.2\/endpoint HTTP\/1.1\nHost: target.example.com\nContent-Type: application\/json\n{ &quot;user_input&quot;: &quot;&lt;script&gt;\/*malicious code*\/&lt;\/script&gt;&quot; }<\/code><\/pre>\n<p>In this example, the &#8220;user_input&#8221; field is not properly sanitized, allowing the attacker&#8217;s script to be embedded into the web page.<\/p>\n<p><strong>Mitigation Guidance<\/strong><\/p>\n<p>To mitigate this vulnerability, it is recommended to apply the vendor patch as soon as it becomes available. As a temporary measure, you can use a Web Application Firewall (WAF) or Intrusion Detection System (IDS) to detect and block XSS attacks. However, these measures should not replace patching the system, as they only provide a temporary and potentially incomplete solution.<br \/>\nRemember, staying up-to-date with patches and updates is a <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-20263-critical-buffer-overflow-vulnerability-in-cisco-secure-firewall\/\"  data-wpil-monitor-id=\"78180\">critical part of maintaining a secure<\/a> system. Regularly monitor for updates to QuantumNous new-api and other <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-25180-underprivileged-software-manipulates-gpu-system-calls-for-unauthorized-access\/\"  data-wpil-monitor-id=\"88764\">software your system<\/a> relies on to ensure your defenses are current.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview CVE-2025-55573 is a critical vulnerability identified in QuantumNous new-api v.0.8.5.2, a widely used API in various web applications. This vulnerability, classed as Cross Site Scripting (XSS), has a potential to compromise system security and cause data leakage. The importance of addressing this vulnerability promptly and efficiently cannot be overstated, given the potential for significant [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[],"product":[],"attack_vector":[81],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-69782","post","type-post","status-publish","format-standard","hentry","category-uncategorized","attack_vector-xss"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/69782","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=69782"}],"version-history":[{"count":7,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/69782\/revisions"}],"predecessor-version":[{"id":81574,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/69782\/revisions\/81574"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=69782"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=69782"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=69782"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=69782"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=69782"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=69782"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=69782"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=69782"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=69782"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}