QwikSec

Security Database

CVE

CWE

Training

CVE-2025-66405

Published: Dec 1, 2025

Modified: Dec 2, 2025

PUBLISHED

Description

Portkey.ai Gateway is a blazing fast AI Gateway with integrated guardrails. Prior to 1.14.0, the gateway determined the destination baseURL by prioritizing the value in the x-portkey-custom-host request header. The proxy route then appends the client-specified path to perform an external fetch. This can be maliciously used by users for SSRF attacks. This vulnerability is fixed in 1.14.0.

Vendor	Product	Versions
Portkey-AI	gateway	affected `< 1.14.0`

Weaknesses (CWE)

References

https://github.com/Portkey-AI/gateway/security/advisories/GHSA-hhh5-2cvx-vmfp

x_refsource_CONFIRM

https://github.com/Portkey-AI/gateway/pull/1372

x_refsource_MISC

https://github.com/Portkey-AI/gateway/commit/b5a7825ba5f4e6918deb32d9969899ce2229a885

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.