Vulnerability Description
text-generation-webui is an open-source web interface for running Large Language Models. In versions through 3.13, a Local File Inclusion vulnerability exists in the character picture upload feature. An attacker can upload a text file containing a symbolic link to an arbitrary file path. When the application processes the upload, it follows the symbolic link and serves the contents of the targeted file through the web interface. This allows an unauthenticated attacker to read sensitive files on the server, potentially exposing system configurations, credentials, and other confidential information. This vulnerability is fixed in 3.14. No known workarounds exist.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/oobabooga/text-generation-webui/commit/282aa1918907fceec7f903
- https://github.com/oobabooga/text-generation-webui/security/advisories/GHSA-66rw
FAQ
What is CVE-2025-62364?
CVE-2025-62364 is a vulnerability with a CVSS score of 6.2 (MEDIUM). text-generation-webui is an open-source web interface for running Large Language Models. In versions through 3.13, a Local File Inclusion vulnerability exists in the character picture upload feature. ...
How severe is CVE-2025-62364?
CVE-2025-62364 has been rated MEDIUM with a CVSS base score of 6.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-62364?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.