CVE-2025-62364

MEDIUM EPSS 40.2%

Published Oct 13, 20258mo ago · Modified Jun 17, 20261w ago

6.2 CVSS 3.1

Medium

Published Oct 13, 2025 8mo ago

Last Modified Jun 17, 2026 1w ago

Description

text-generation-webui is an open-source web interface for running Large Language Models. In versions through 3.13, a Local File Inclusion vulnerability exists in the character picture upload feature. An attacker can upload a text file containing a symbolic link to an arbitrary file path. When the application processes the upload, it follows the symbolic link and serves the contents of the targeted file through the web interface. This allows an unauthenticated attacker to read sensitive files on the server, potentially exposing system configurations, credentials, and other confidential information. This vulnerability is fixed in 3.14. No known workarounds exist.

CVSS Details

Base Score

6.2

Exploitability

2.5

Impact

3.6

Vector string

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector Local

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity None

Availability None

Threat Intelligence

EPSS Exploit Probability

40.2% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-59

References 2

github.com https://github.com/oobabooga/text-generation-webui/commit/282aa1918907fceec7f903d3dc2bc8492ce8e885
github.com https://github.com/oobabooga/text-generation-webui/security/advisories/GHSA-66rw-q8w5-c2hg

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.