Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Authenticated proxy user (PR:L) over the network; winning the DNS rebind race raises AC:H; SSRF pivots to internal systems (S:C) with limited read/write and no availability impact (A:N).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
9Router is an AI router & token saver. Prior to 0.5.2, 9router validates image URLs by resolving the host before fetching, but open-sse/translator/concerns/image.js performs the later server-side image fetch with a separate DNS resolution. An authenticated attacker with access to the LLM proxy can use a vision-capable model and an attacker-controlled DNS name that first resolves to a public IP and then rebinds to an internal address, allowing server-side requests to internal-only HTTP services. This issue is fixed in version 0.5.2.
AnalysisAI
Server-side request forgery via DNS rebinding in 9Router (decolua/9router) before 0.5.2 allows an authenticated LLM-proxy user to reach internal-only HTTP services. The image-URL validation resolves the host once to a public IP, but open-sse/translator/concerns/image.js performs the actual server-side fetch with a separate DNS lookup, so an attacker-controlled name can rebind to an internal address between the two resolutions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated user with access to the LLM proxy (PR:L) who can invoke a vision-capable model that accepts remote image URLs. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L, base 7.4 High) reflects a network-reachable, low-complexity attack requiring low-privilege authentication, with a scope change (S:C) capturing the pivot from the proxy into internal systems, and limited C/I/A impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds valid credentials for the 9router LLM proxy sends a vision-model request whose image URL points to a hostname on their own authoritative DNS server. That name first resolves to a benign public IP so validation passes, then rebinds to 127.0.0.1 or an internal address on the fetch, causing the server to retrieve content from an internal-only HTTP service and disclose it back through the model pipeline. … |
| Remediation | Vendor-released patch: upgrade 9router to version 0.5.2 or later (release https://github.com/decolua/9router/releases/tag/v0.5.2, fix commit c7d07448c58bec1200741de0b73305b860416b82, advisory GHSA-cmhj-wh2f-9cgx). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running 9Router and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated CRUD on the provider-management API in 9Router (through 0.4.41) lets remote attackers with no credential
Remote authorization bypass in decolua 9router up to version 0.3.47 allows unauthenticated network attackers to access t
Unauthenticated API key disclosure in 9Router (npm package '9router' by decolua) through version 0.4.41 lets any remote
Authenticated remote code execution in 9Router before 0.5.2 lets a logged-in attacker run arbitrary OS commands on the h
Unauthenticated information disclosure in 9Router (decolua/9router) through version 0.4.41 lets remote attackers read ev
Authentication bypass in 9Router (AI router & token saver) prior to 0.5.4 lets any authenticated user disable applicatio
Authorization-gate bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker reach protect
Authentication bypass in 9Router (decolua/9router) versions prior to 0.5.2 lets remote unauthenticated attackers reach p
Authentication bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker forge a 'Host: lo
Server-side request forgery (SSRF) in 9Router's Kiro API-key validation endpoint allows authenticated attackers to redir
Improper authorization in decolua 9router through version 0.4.0 allows remote attackers with low privileges to bypass JW
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42929