CVE-2025-32383 Overview
CVE-2025-32383 affects MaxKB (Max Knowledge Base), an open-source knowledge base question-answering system built on large language models (LLMs) and retrieval-augmented generation (RAG). The vulnerability resides in the function library module and allows privileged users to create a reverse shell on the underlying host. The flaw is classified under [CWE-94] Improper Control of Generation of Code (Code Injection). MaxKB resolved the issue in version v1.10.4-lts.
Critical Impact
Authenticated privileged users can execute arbitrary code and establish a reverse shell, compromising confidentiality, integrity, and availability of the MaxKB host.
Affected Products
- MaxKB (1Panel-dev/MaxKB) prior to v1.10.4-lts
- Deployments using the function library module
- Self-hosted MaxKB LTS installations
Discovery Timeline
- 2025-04-10 - CVE-2025-32383 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-32383
Vulnerability Analysis
MaxKB exposes a function library module that allows privileged users to define and execute custom functions inside the application runtime. The module does not adequately restrict the code paths available to these functions, enabling an authenticated user with elevated role privileges to inject code that spawns a reverse shell. Once the connection is established, the attacker gains interactive command execution on the MaxKB host with the privileges of the application process.
Because MaxKB integrates with LLM workflows, the compromised host often holds API credentials for third-party model providers, knowledge base content, and database connection strings. Exploitation therefore expands beyond the application boundary into adjacent secrets and data stores.
Root Cause
The root cause is improper neutralization of user-supplied code within the function library feature, mapped to [CWE-94]. The module evaluates function definitions in a way that lets attackers introduce arbitrary commands, including network sockets and shell invocations, rather than restricting them to a safe execution sandbox.
Attack Vector
The attack vector is network-based and requires high privileges within the MaxKB application. An attacker with administrator or function-library author rights submits a malicious function that opens an outbound socket to an attacker-controlled listener. When the function executes, MaxKB binds the process's standard input and output to the socket, yielding an interactive reverse shell.
No verified public proof-of-concept code is available for CVE-2025-32383. Refer to the GitHub Security Advisory GHSA-fjf6-6cvf-xr72 and the upstream commit 4ae02c8 for the technical fix.
Detection Methods for CVE-2025-32383
Indicators of Compromise
- Outbound TCP connections from the MaxKB process or container to unexpected external hosts and ports.
- New or modified entries in the MaxKB function library authored by administrative accounts shortly before suspicious process activity.
- Child processes of the MaxKB application spawning /bin/sh, bash, python, or other interpreters with socket file descriptors attached to standard I/O.
Detection Strategies
- Audit MaxKB application logs for function creation, modification, and execution events tied to privileged accounts.
- Monitor process trees on the MaxKB host for shell interpreters whose parent is the MaxKB runtime.
- Inspect egress network traffic from MaxKB hosts and containers for connections to non-allowlisted destinations.
Monitoring Recommendations
- Forward MaxKB application and host telemetry to a centralized SIEM or data lake for correlation across function-library activity, process creation, and network connection events.
- Alert on any execution of network primitives (sockets, nc, curl with shell redirection) originating from the MaxKB service account.
- Track administrator account activity and require change tickets for function-library modifications in production.
How to Mitigate CVE-2025-32383
Immediate Actions Required
- Upgrade MaxKB to v1.10.4-lts or later, which contains the upstream fix in commit 4ae02c8d3eb65542c88ef58c0abd94c52c949d8f.
- Review all existing function library entries and remove any unrecognized or suspicious functions before resuming normal operations.
- Rotate credentials, API keys, and database secrets accessible to the MaxKB host if compromise is suspected.
Patch Information
The vendor released the fix in MaxKB v1.10.4-lts. The patch is published in the GitHub commit 4ae02c8 and documented in the GitHub Security Advisory GHSA-fjf6-6cvf-xr72. Administrators running self-hosted instances should plan an upgrade window and verify the new image hash after deployment.
Workarounds
- Restrict administrative and function-library author roles to a minimal set of trusted accounts and enforce multi-factor authentication on those accounts.
- Run MaxKB inside a hardened container with no outbound internet access except to required LLM and storage endpoints, blocking arbitrary reverse-shell destinations.
- Apply host-level egress filtering and seccomp or AppArmor profiles to prevent the MaxKB process from invoking shell interpreters or raw sockets.
# Example egress restriction using iptables on the MaxKB host
iptables -A OUTPUT -m owner --uid-owner maxkb -p tcp -d <llm-provider-ip> --dport 443 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner maxkb -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

