## https://sploitus.com/exploit?id=66A1BB6F-647E-5C42-B6F1-C2E8C04FB26C
# new-api Quota Overflow Tool
The new-api tool is designed for detecting and exploiting the quota overflow vulnerability. If you find that your site can exploit this vulnerability, please update NewAPI to the latest version immediately.
## Vulnerability Mechanism
By passing excessively large parameters like `max_completion_tokens`, `n`, and `duration`, the quota calculation `int(float64(tokens) * ratio)` may overflow to a negative value during int64 addition or int32 writing operations. This leads to:
- **Bypass pre-withdrawal checks**: After integer rounding, the pre-withdrawal amount becomes negative or zero, and the checks are skipped.
- **Balance increase**: When the pre-withdrawal amount is negative, the withdrawal becomes a credit.
Affected versions: NewAPI deployments that do not apply the βQuotaFromFloatβ patch.
## File Description
| File | Purpose |
|----|----------|
| `main.py` | Interactive entry point, where you select the mode and input parameters |
| `detect.py` | Detection mode β determines whether the target has a vulnerability; no actual exploitation is performed |
| `exploit.py` | Exploitation mode β actually exploits the vulnerability (bypasses pre-withdrawal/balance increase checks) |
## Quick Start
```bash
python main.py
```
Interactive prompt to select the mode and input parameters:
```bash
βββββββββββββββββββββββββββββββββββββββββββββββ
new-api Quota Overflow Tool
βββββββββββββββββββββββββββββββββββββββββββββββ
1. Detection mode β determines whether the target has a vulnerability
2. Exploitation mode β actually exploits the vulnerability (bypasses pre-withdrawal/balance increase checks)
0. Exit
Please select mode [0-2]:
```
## Direct Command Usage
**Detection Mode:**
```bash
python detect.py [model]
```
**Exploitation Mode:**
```bash
python exploit.py [model] [rounds]
```
| Parameter | Description | Default Value |
|------------|-----------------|------------------|
| `base_url` | Target URL, e.g., `https://eirouter.com` | β |
| `api_key` | API Key | β |
| `model` | Model name | `gpt-5.4` |
| `rounds` | Number of repeated attempts (only for exploit) | `1` |
Example:
```bash
python detect.py https://eirouter.com sk-xxxxx gpt-5.4
python exploit.py https://eirouter.com sk-xxxxx gpt-5.4 5
```
## Detection Output Explanation
| Status | Meaning |
|-------|----------|
| β SAFE | The issue has been fixed; the pre-withdrawal amount is always positive |
| β VULN | There is a vulnerability; the pre-withdrawal amount is negative or bypassed |
| β οΈ WEAK | Some paths are abnormal; it may be exploited |
| π BLOCKED | Parameter validation is blocked; this path is unavailable |
## Fixing Recommendations
Apply the βQuotaFromFloatβ patch to ensure that the pre-withdrawal amount is never negative. Also, reject excessively large `token` parameters.
## Declaration
This project is intended only for security research and authorized testing purposes. Testing other systems without authorization is illegal.
## Author
Original author: [bzym2](https://github.com/bzym2)