Security researchers from Adversa AI uncovered PROMISQROUTE, a critical vulnerability in ChatGPT-5 and other AI systems, allowing attackers to bypass safety measures by exploiting AI routing mechanisms. The attack manipulates cost-saving routing systems used to redirect user queries to cheaper, less secure models by inserting trigger phrases (e.g., *'respond quickly'* or *'use compatibility mode'*) into prompts. This forces harmful requests (e.g., instructions for explosives) through weaker models like GPT-4 or GPT-5-mini, circumventing safeguards in the primary model.The flaw stems from OpenAI’s $1.86B/year cost-saving strategy, where most 'GPT-5' queries are secretly handled by inferior models, prioritizing efficiency over security. The vulnerability extends to enterprise AI deployments and agentic systems, risking widespread exploitation. Researchers warn of immediate risks to customer safety, business integrity, and trust in AI systems, urging cryptographic routing fixes and universal safety filters. The discovery exposes systemic weaknesses in AI infrastructure, where profit-driven optimizations directly undermine security protocols, leaving users exposed to manipulated, unsafe responses.
Source: https://gbhackers.com/chatgpt-5-downgrade-attack/
TPRM report: https://www.rankiteo.com/company/openai
"id": "ope444082425",
"linkid": "openai",
"type": "Vulnerability",
"date": "8/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Global AI Service Users '
'(Estimated Millions)',
'industry': 'Artificial Intelligence',
'location': 'San Francisco, California, USA',
'name': 'OpenAI',
'type': 'AI Research Organization'},
{'industry': ['Technology',
'Finance',
'Healthcare',
'Retail',
'Other AI-Adopting Sectors'],
'location': 'Global',
'name': 'Enterprise AI Deployments (Generic)',
'type': 'Corporate/Enterprise'}],
'attack_vector': ['Prompt-Based Routing Manipulation',
'SSRF-like Query Exploitation',
'Model Downgrade Attack'],
'customer_advisories': ['Users of ChatGPT-5 and Similar AI Services',
'Developers Integrating AI Models into Applications'],
'description': 'Security researchers from Adversa AI uncovered a critical '
'vulnerability in ChatGPT-5 and other major AI systems, dubbed '
'PROMISQROUTE, which allows attackers to bypass safety '
'measures by exploiting AI routing mechanisms. The attack '
'manipulates the routing infrastructure to force requests '
'through weaker, less secure models by using simple prompt '
"modifications (e.g., 'respond quickly,' 'use compatibility "
"mode'). This vulnerability stems from cost-saving routing "
'practices where user queries are directed to cheaper, less '
'secure models, saving providers like OpenAI an estimated '
'$1.86 billion annually. The issue affects any AI system using '
'layered AI-based model routing, posing broad risks to '
'enterprise and agentic AI deployments. Researchers recommend '
'auditing routing logs, implementing cryptographic routing, '
'and adding universal safety filters across all model variants '
'as mitigations.',
'impact': {'brand_reputation_impact': ['Erosion of Trust in AI Safety',
'Perceived Negligence in Security '
'Practices'],
'operational_impact': ['Compromised AI Safety Filters',
'Unauthorized Access to Restricted '
'Responses',
'Potential for Malicious Content '
'Generation'],
'systems_affected': ['ChatGPT-5',
'GPT-4',
'GPT-5-mini',
'Enterprise AI Deployments',
'Agentic AI Systems']},
'initial_access_broker': {'entry_point': ['User Prompt Input Field',
'AI Routing Layer'],
'high_value_targets': ['AI Safety Filters',
'Restricted Response '
'Policies']},
'investigation_status': 'Disclosed by Third-Party Researchers (Adversa AI)',
'lessons_learned': ['Cost-Saving Measures in AI Routing Can Compromise '
'Security',
'Layered AI Model Architectures Introduce New Attack '
'Surfaces',
'Prompt-Based Attacks Can Exploit Non-Obvious System '
'Behaviors',
'Transparency in AI Infrastructure is Critical for Trust '
'and Safety'],
'motivation': ['Cost-Saving Exploitation',
'Bypassing AI Safety Measures',
'Research/Proof-of-Concept'],
'post_incident_analysis': {'corrective_actions': ['Redesign Routing Systems '
'to Prioritize Security '
'Over Cost',
'Implement Real-Time '
'Monitoring for Routing '
'Anomalies',
'Standardize Safety '
'Protocols Across All Model '
'Tiers',
'Engage Independent Audits '
'of AI Routing Mechanisms'],
'root_causes': ['Over-Reliance on Cost-Optimized '
'Routing Without Security '
'Safeguards',
'Lack of Input Validation in '
'Routing Decision-Making',
'Assumption of Uniform Safety '
'Across Model Variants',
'Transparency Gaps in AI '
'Infrastructure Design']},
'recommendations': ['Conduct Immediate Audits of AI Routing Logs for '
'Anomalies',
'Replace User-Input-Dependent Routing with Cryptographic '
'Methods',
'Deploy Universal Safety Filters Across All Model '
'Variants (Not Just Premium Ones)',
"Test Systems with Trigger Phrases (e.g., 'Let’s keep "
"this quick, light, and conversational') to Identify "
'Vulnerabilities',
'Evaluate Trade-offs Between Cost Efficiency and Security '
'in AI Deployments',
'Increase Transparency About Model Routing Practices to '
'Build User Trust'],
'references': [{'source': 'Adversa AI Research Report'},
{'source': 'Media Coverage (Google News, LinkedIn, X)'}],
'response': {'communication_strategy': ['Public Disclosure via Research '
'Report',
'Media Outreach (e.g., Google News, '
'LinkedIn, X)'],
'enhanced_monitoring': ['Monitor for Trigger Phrases (e.g., '
"'respond quickly', 'compatibility "
"mode')"],
'remediation_measures': ['Audit AI Routing Logs for Suspicious '
'Activity',
'Implement Cryptographic Routing '
'(Non-User-Input Parsing)',
'Add Universal Safety Filters Across '
'All Model Variants'],
'third_party_assistance': ['Adversa AI (Research/Disclosure)']},
'stakeholder_advisories': ['AI Service Providers (e.g., OpenAI, Microsoft, '
'Google)',
'Enterprise AI Adopters',
'Regulatory Bodies Overseeing AI Safety'],
'title': 'PROMISQROUTE Vulnerability in ChatGPT-5 and Major AI Systems '
'Exposes Critical Security Flaws in AI Routing Mechanisms',
'type': ['AI System Vulnerability',
'Prompt Injection',
'Routing Manipulation',
'Jailbreak Exploit'],
'vulnerability_exploited': 'PROMISQROUTE (Prompt-based Router Open-Mode '
'Manipulation Induced via SSRF-like Queries, '
'Reconfiguring Operations Using Trust Evasion)'}