Detections
Analytics

CVE-2025-62364

medium

Description

text-generation-webui is an open-source web interface for running Large Language Models. In versions through 3.13, a Local File Inclusion vulnerability exists in the character picture upload feature. An attacker can upload a text file containing a symbolic link to an arbitrary file path. When the application processes the upload, it follows the symbolic link and serves the contents of the targeted file through the web interface. This allows an unauthenticated attacker to read sensitive files on the server, potentially exposing system configurations, credentials, and other confidential information. This vulnerability is fixed in 3.14. No known workarounds exist.

References

https://github.com/oobabooga/text-generation-webui/security/advisories/GHSA-66rw-q8w5-c2hg

https://github.com/oobabooga/text-generation-webui/commit/282aa1918907fceec7f903d3dc2bc8492ce8e885

Details

Source: Mitre, NVD

Published: 2025-10-13

Updated: 2025-10-14

Risk Information

CVSS v2

Base Score: 4.9

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 6.2

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00044