CVE-2025-3801: one-api Cross-site Scripting vulnerability

April 19, 2025 (updated April 21, 2025)

A vulnerability was found in songquanpeng one-api up to 0.6.10. It has been classified as problematic. This affects an unknown part of the component System Setting Handler. The manipulation of the argument Homepage Content leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

References

github.com/advisories/GHSA-wvcx-j62q-45qw
github.com/songquanpeng/one-api
github.com/yaowenxiao721/Poc/blob/main/One-API/One-API-poc.md
nvd.nist.gov/vuln/detail/CVE-2025-3801
vuldb.com/?ctiid.305655
vuldb.com/?id.305655
vuldb.com/?submit.554702

Code Behaviors & Features

Detect and mitigate CVE-2025-3801 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →