CVE-2025-66405: CWE-918: Server-Side Request Forgery (SSRF) in Portkey-AI gateway
Portkey.ai Gateway is a blazing fast AI Gateway with integrated guardrails. Prior to 1.14.0, the gateway determined the destination baseURL by prioritizing the value in the x-portkey-custom-host request header. The proxy route then appends the client-specified path to perform an external fetch. This can be maliciously used by users for SSRF attacks. This vulnerability is fixed in 1.14.0.
AI Analysis
Technical Summary
CVE-2025-66405 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Portkey-AI Gateway product, specifically affecting versions prior to 1.14.0. The vulnerability stems from the gateway's handling of the x-portkey-custom-host HTTP header, which it uses to determine the destination base URL for proxying requests. This design flaw allows an attacker to supply a malicious value in this header, causing the gateway to perform unauthorized HTTP requests to arbitrary destinations, including internal network resources or protected services. The proxy route appends the client-specified path to the base URL, enabling attackers to craft requests that can access sensitive internal endpoints or external systems not normally reachable from the client side. The vulnerability requires no authentication or user interaction, making it easier to exploit remotely. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability are none, but scope is limited (S:C). The vulnerability was publicly disclosed on December 1, 2025, and fixed in Portkey-AI Gateway version 1.14.0. No public exploits have been reported yet. SSRF vulnerabilities like this can be leveraged for reconnaissance, accessing internal services, or pivoting attacks within a network. Given the gateway's role in AI infrastructure, exploitation could lead to exposure of sensitive AI model endpoints or internal APIs.
Potential Impact
For European organizations, this SSRF vulnerability poses a moderate risk. Exploitation could allow attackers to access internal services behind firewalls, potentially exposing sensitive data or enabling further lateral movement within the network. Organizations deploying Portkey-AI Gateway in AI or critical infrastructure environments may face risks to confidentiality and operational integrity. The vulnerability's ease of exploitation without authentication increases the threat level, especially for publicly accessible gateway instances. Potential impacts include unauthorized data access, disruption of AI service availability, or use of the gateway as a pivot point for broader network attacks. Given the growing adoption of AI technologies in Europe, particularly in sectors like finance, healthcare, and manufacturing, the vulnerability could have significant operational and reputational consequences if exploited.
Mitigation Recommendations
European organizations should immediately upgrade Portkey-AI Gateway to version 1.14.0 or later to remediate the vulnerability. In addition, network administrators should implement strict egress and ingress filtering to restrict the gateway's ability to make arbitrary outbound requests, limiting it to only trusted destinations. Deploying Web Application Firewalls (WAFs) with rules to detect and block anomalous x-portkey-custom-host header values can provide additional protection. Regularly audit and monitor logs for unusual proxy request patterns indicative of SSRF attempts. Employ network segmentation to isolate the gateway from sensitive internal services and enforce the principle of least privilege on network access. Security teams should also conduct penetration testing focused on SSRF vectors to validate defenses. Finally, maintain up-to-date threat intelligence and incident response plans tailored to AI infrastructure components.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2025-66405: CWE-918: Server-Side Request Forgery (SSRF) in Portkey-AI gateway
Description
Portkey.ai Gateway is a blazing fast AI Gateway with integrated guardrails. Prior to 1.14.0, the gateway determined the destination baseURL by prioritizing the value in the x-portkey-custom-host request header. The proxy route then appends the client-specified path to perform an external fetch. This can be maliciously used by users for SSRF attacks. This vulnerability is fixed in 1.14.0.
AI-Powered Analysis
Technical Analysis
CVE-2025-66405 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Portkey-AI Gateway product, specifically affecting versions prior to 1.14.0. The vulnerability stems from the gateway's handling of the x-portkey-custom-host HTTP header, which it uses to determine the destination base URL for proxying requests. This design flaw allows an attacker to supply a malicious value in this header, causing the gateway to perform unauthorized HTTP requests to arbitrary destinations, including internal network resources or protected services. The proxy route appends the client-specified path to the base URL, enabling attackers to craft requests that can access sensitive internal endpoints or external systems not normally reachable from the client side. The vulnerability requires no authentication or user interaction, making it easier to exploit remotely. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability are none, but scope is limited (S:C). The vulnerability was publicly disclosed on December 1, 2025, and fixed in Portkey-AI Gateway version 1.14.0. No public exploits have been reported yet. SSRF vulnerabilities like this can be leveraged for reconnaissance, accessing internal services, or pivoting attacks within a network. Given the gateway's role in AI infrastructure, exploitation could lead to exposure of sensitive AI model endpoints or internal APIs.
Potential Impact
For European organizations, this SSRF vulnerability poses a moderate risk. Exploitation could allow attackers to access internal services behind firewalls, potentially exposing sensitive data or enabling further lateral movement within the network. Organizations deploying Portkey-AI Gateway in AI or critical infrastructure environments may face risks to confidentiality and operational integrity. The vulnerability's ease of exploitation without authentication increases the threat level, especially for publicly accessible gateway instances. Potential impacts include unauthorized data access, disruption of AI service availability, or use of the gateway as a pivot point for broader network attacks. Given the growing adoption of AI technologies in Europe, particularly in sectors like finance, healthcare, and manufacturing, the vulnerability could have significant operational and reputational consequences if exploited.
Mitigation Recommendations
European organizations should immediately upgrade Portkey-AI Gateway to version 1.14.0 or later to remediate the vulnerability. In addition, network administrators should implement strict egress and ingress filtering to restrict the gateway's ability to make arbitrary outbound requests, limiting it to only trusted destinations. Deploying Web Application Firewalls (WAFs) with rules to detect and block anomalous x-portkey-custom-host header values can provide additional protection. Regularly audit and monitor logs for unusual proxy request patterns indicative of SSRF attempts. Employ network segmentation to isolate the gateway from sensitive internal services and enforce the principle of least privilege on network access. Security teams should also conduct penetration testing focused on SSRF vectors to validate defenses. Finally, maintain up-to-date threat intelligence and incident response plans tailored to AI infrastructure components.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-11-28T23:33:56.365Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 692e19186dbd3477d74d63cf
Added to database: 12/1/2025, 10:39:20 PM
Last enriched: 12/8/2025, 11:17:06 PM
Last updated: 1/18/2026, 10:44:47 PM
Views: 53
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-23525: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in 1Panel-dev 1Panel
MediumCVE-2026-1126: Unrestricted Upload in lwj flow
MediumCVE-2026-1125: Command Injection in D-Link DIR-823X
MediumCVE-2026-1124: SQL Injection in Yonyou KSOA
MediumCVE-2026-0863: CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.