Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Scope changes to subsequent AWS system (IAM via IMDS); confidentiality high if credentials exposed; PR:L per provided CVSS 4.0 vector.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A flaw has been found in Helicone ai-gateway up to 0.2.0-beta.30. This affects the function build_target_url of the file ai-gateway/src/dispatcher/service.rs of the component AWS Metadata Service. Executing a manipulation of the argument extracted_path_and_query can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Server-side request forgery in Helicone ai-gateway (up to 0.2.0-beta.30) allows a low-privileged remote attacker to manipulate the extracted_path_and_query argument within the build_target_url function of the AWS Metadata Service component, causing the gateway to issue unauthorized server-side HTTP requests to internal infrastructure. For deployments on AWS, this most critically targets the EC2 Instance Metadata Service (IMDS) at 169.254.169.254, potentially exposing IAM role credentials that carry blast radius far exceeding the assigned CVSS 5.3 score. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Low-privilege authentication is required (PR:L per CVSS 4.0 vector) - an attacker must hold a valid account or API key on the Helicone ai-gateway instance. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 4.0 score of 5.3 materially underrepresents real-world risk for AWS-hosted deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged user with API access to the Helicone ai-gateway crafts a request that injects a path component targeting http://169.254.169.254/latest/meta-data/iam/security-credentials/ into the `extracted_path_and_query` argument processed by `build_target_url`. A public POC is available at the GitHub issue linked in references, lowering the skill threshold to near-zero. … |
| Remediation | No vendor-released patch is identified at time of analysis - the vendor did not respond to the coordinated disclosure. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43249
GHSA-9fxj-mchq-843p