CVE-2025-66405: Portkey.ai Gateway SSRF Vulnerability

CVE-2025-66405 Overview

CVE-2025-66405 is a Server-Side Request Forgery (SSRF) vulnerability in Portkey.ai Gateway, a high-performance AI Gateway solution with integrated guardrails. Prior to version 1.14.0, the gateway determined the destination baseURL by prioritizing the value in the x-portkey-custom-host request header. The proxy route then appends the client-specified path to perform an external fetch operation. This design flaw can be maliciously exploited by attackers to conduct SSRF attacks, potentially allowing unauthorized access to internal services, cloud metadata endpoints, and other protected resources.

Critical Impact

Attackers can leverage this SSRF vulnerability to access internal network resources, cloud instance metadata services, and potentially pivot to more sensitive systems within the infrastructure.

Affected Products

• Portkey.ai Gateway versions prior to 1.14.0

Discovery Timeline

• 2025-12-01 - CVE CVE-2025-66405 published to NVD
• 2025-12-02 - Last updated in NVD database

Technical Details for CVE-2025-66405

Vulnerability Analysis

This vulnerability is classified as CWE-918 (Server-Side Request Forgery). With a CVSS 4.0 score of 6.9 (MEDIUM severity), the vulnerability has a network attack vector with low attack complexity and requires no privileges or user interaction to exploit.

The CVSS vector (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X) indicates that while there is no direct impact on confidentiality, integrity, or availability of the vulnerable system itself, there is low impact on subsequent systems' confidentiality and integrity—characteristic of SSRF vulnerabilities that allow attackers to reach otherwise inaccessible resources.

The Exploit Prediction Scoring System (EPSS) assigns a probability of 0.051% with a percentile ranking of 15.906, indicating relatively low likelihood of active exploitation in the wild at this time.

Root Cause

The root cause of this vulnerability lies in the gateway's trust of user-controlled input for determining outbound request destinations. The x-portkey-custom-host HTTP header allows clients to specify arbitrary host values, which the proxy route uses to construct the baseURL for external requests. This lack of input validation and URL allowlisting enables attackers to redirect server-side requests to unintended destinations.

Attack Vector

The attack vector is network-based and requires no authentication. An attacker can craft HTTP requests containing a malicious x-portkey-custom-host header pointing to internal resources such as:

• Cloud metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/)
• Internal service APIs
• Localhost services not exposed externally
• Private network infrastructure

The vulnerability allows an attacker to manipulate the gateway into making requests on their behalf, effectively bypassing network segmentation and firewall rules that would normally prevent direct access to these resources.

For technical details on the vulnerability mechanism and the specific code changes, see the security advisory on GitHub and the fix commit.

Detection Methods for CVE-2025-66405

Indicators of Compromise

• Unusual outbound requests from the Portkey gateway to internal IP ranges (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x)
• Requests to cloud metadata endpoints (169.254.169.254)
• Abnormal x-portkey-custom-host header values pointing to non-standard destinations
• Gateway logs showing connections to localhost or internal services

Detection Strategies

Monitor HTTP request logs for the x-portkey-custom-host header containing:

• Private IP address ranges
• Localhost references (127.0.0.1, localhost, ::1)
• Cloud metadata IP addresses
• Internal hostnames or non-production domains

Implement network-level monitoring to detect outbound connections from the gateway to internal resources that should not normally be accessed.

Monitoring Recommendations

Deploy network traffic analysis to identify anomalous outbound requests from the gateway service. Configure alerting for any requests containing suspicious destination URLs in the x-portkey-custom-host header. Review gateway access logs regularly for patterns indicative of SSRF exploitation attempts. Consider implementing a Web Application Firewall (WAF) rule to inspect and validate custom host headers.

How to Mitigate CVE-2025-66405

Immediate Actions Required

• Upgrade Portkey.ai Gateway to version 1.14.0 or later immediately
• Review gateway logs for any evidence of SSRF exploitation attempts
• Implement network segmentation to limit the gateway's access to internal resources
• Consider deploying allowlist-based URL filtering at the network level

Patch Information

The vulnerability has been fixed in Portkey.ai Gateway version 1.14.0. The fix was implemented in Pull Request #1372 and committed as b5a7825ba5f4e6918deb32d9969899ce2229a885. Organizations should update to version 1.14.0 or later to remediate this vulnerability.

Reference the official GitHub Security Advisory GHSA-hhh5-2cvx-vmfp for complete details.

Workarounds

If immediate patching is not possible, implement the following temporary mitigations:

# Network-level mitigation: Block outbound requests to internal networks
# Example iptables rules to prevent SSRF to internal resources
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -d 127.0.0.0/8 -j DROP

Additionally, consider deploying a reverse proxy or WAF in front of the gateway to sanitize or block requests with suspicious x-portkey-custom-host header values. Implement strict egress filtering to limit the gateway's ability to reach sensitive internal resources.