Overview
CVE-2025-66405 describes a Server-Side Request Forgery (SSRF) vulnerability found in versions of Portkey.ai Gateway prior to 1.14.0. Portkey.ai Gateway is designed to be a fast AI Gateway with integrated guardrails. This vulnerability allowed attackers to potentially force the gateway to make requests to arbitrary internal or external servers, leading to information disclosure or other malicious activities.
Technical Details
The vulnerability stemmed from how the Portkey.ai Gateway handled the `x-portkey-custom-host` request header. Prior to version 1.14.0, the gateway prioritized the value supplied in this header to determine the destination `baseURL` for proxy requests. The proxy route would then append a client-specified path to this base URL. This behavior made it possible for an attacker to inject a malicious URL into the `x-portkey-custom-host` header, causing the gateway to make requests to unintended locations.
For example, an attacker could set `x-portkey-custom-host` to `http://internal-server/` and then send a request with a path such as `/sensitive-data`. The gateway would then make a request to `http://internal-server/sensitive-data`, potentially exposing sensitive information that would otherwise be inaccessible from the outside.
CVSS Analysis
Due to the nature of this vulnerability, a CVSS score is typically expected to be in the high range. However, the provided information indicates that a CVSS score is currently unavailable (N/A). The actual severity will depend on the specific environment and the potential impact of successful SSRF attacks within that environment.
Factors to consider when evaluating the real-world severity include:
- The presence of sensitive internal resources accessible from the gateway.
- The potential for the gateway to interact with internal APIs.
- The network configuration of the environment.
Possible Impact
Successful exploitation of this SSRF vulnerability could lead to a range of adverse consequences, including:
- Information Disclosure: Exposure of sensitive data from internal systems.
- Internal Service Scanning: Attackers could use the gateway to scan the internal network for open ports and services.
- Denial of Service (DoS): In some scenarios, attackers could cause the gateway to make requests that overwhelm internal systems, leading to a denial of service.
- Credential Theft: Potentially gaining access to internal services using stolen credentials if the gateway is configured to pass credentials along with requests.
Mitigation and Patch Steps
The recommended mitigation is to upgrade Portkey.ai Gateway to version 1.14.0 or later. This version contains a fix that properly validates the `x-portkey-custom-host` header, preventing the SSRF vulnerability.
Upgrade Instructions: Refer to the official Portkey.ai Gateway documentation for detailed upgrade instructions. It is generally recommended to follow the standard upgrade procedure for your deployment environment (e.g., using `npm`, `docker-compose`, or your chosen deployment method).
Workarounds (If Immediate Upgrade is Not Possible):
While upgrading is the best solution, if an immediate upgrade is not possible, consider implementing these temporary workarounds with caution:
- Input Validation: Implement a reverse proxy or web application firewall (WAF) in front of the gateway to validate and sanitize the `x-portkey-custom-host` header. Ensure that the header contains only allowed characters and conforms to a strict URL format.
- Network Segmentation: Restrict network access from the gateway to only the necessary internal resources. Use firewall rules to block outbound connections to arbitrary internal and external IPs.
- Monitor Gateway Logs: Carefully monitor the gateway logs for suspicious activity, such as requests to unusual or unexpected destinations.
Important Note: Workarounds are not a substitute for upgrading to the patched version. They should only be used as temporary measures until an upgrade can be performed.
