Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Remote, no-auth, single-header bypass gives AV:N/AC:L/PR:N/UI:N; credential/metadata disclosure is C:H with limited I:L, and the SSRF pivot to other systems justifies S:C.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
9Router is an AI router & token saver. Prior to 0.5.2, 9router determines whether a /v1 LLM proxy request is local by reading the client-controlled Host header, allowing a remote unauthenticated attacker to send Host: localhost and bypass API-key authentication. In the default configuration, this exposes the /v1 proxy to upstream provider calls using stored provider credentials and allows /v1/search with the searxng provider_options.baseUrl parameter to drive server-side requests to internal or cloud-metadata hosts. This issue is fixed in version 0.5.2.
AnalysisAI
Authentication bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker forge a 'Host: localhost' header so the /v1 LLM proxy treats the request as local and skips API-key checks. Once past authentication, an attacker abuses stored provider credentials for upstream LLM calls and leverages /v1/search's searxng provider_options.baseUrl to force server-side requests to internal or cloud-metadata endpoints (SSRF). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the 9Router /v1 proxy is network-reachable by the attacker (default configuration is explicitly stated as vulnerable) and that the server derives 'local request' trust from the Host header - satisfied on all versions before 0.5.2. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N, base 8.2) is internally consistent with the description: network reachable, low complexity, no privileges, no user interaction, high confidentiality impact (credential exposure and metadata theft) and limited integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach an internet-exposed 9Router instance sends a /v1 request with a spoofed 'Host: localhost' header, which the server trusts as a local call and processes without an API key. The attacker then issues upstream LLM calls billed to the victim's stored provider credentials, and submits a /v1/search request with searxng provider_options.baseUrl set to http://169.254.169.254/ to read cloud-metadata (or internal service) responses. … |
| Remediation | Vendor-released patch: version 0.5.2 - upgrade all 9Router instances to 0.5.2 or later, which corrects how local/loopback requests are determined (fix commit b282f0554972ea35281520738759d76abcd0b0b3; advisory GHSA-86m2-fcxq-5q7c). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running decolua/9router before version 0.5.2 using dependency scanning tools and inventory their network exposure; review proxy access logs for requests with 'Host: localhost' headers from non-internal source IPs. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated CRUD on the provider-management API in 9Router (through 0.4.41) lets remote attackers with no credential
Remote authorization bypass in decolua 9router up to version 0.3.47 allows unauthenticated network attackers to access t
Unauthenticated API key disclosure in 9Router (npm package '9router' by decolua) through version 0.4.41 lets any remote
Authenticated remote code execution in 9Router before 0.5.2 lets a logged-in attacker run arbitrary OS commands on the h
Unauthenticated information disclosure in 9Router (decolua/9router) through version 0.4.41 lets remote attackers read ev
Authentication bypass in 9Router (AI router & token saver) prior to 0.5.4 lets any authenticated user disable applicatio
Authorization-gate bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker reach protect
Authentication bypass in 9Router (decolua/9router) versions prior to 0.5.2 lets remote unauthenticated attackers reach p
Server-side request forgery via DNS rebinding in 9Router (decolua/9router) before 0.5.2 allows an authenticated LLM-prox
Server-side request forgery (SSRF) in 9Router's Kiro API-key validation endpoint allows authenticated attackers to redir
Improper authorization in decolua 9router through version 0.4.0 allows remote attackers with low privileges to bypass JW
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42930