Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability has been found in vercel ai up to 3.0.97. Impacted is the function run of the file .github/workflows/prettier-on-automerge.yml of the component PR Branch Name Interpolation. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
OS command injection in Vercel AI SDK versions up to 3.0.97 allows authenticated remote attackers with pull request creation privileges to execute arbitrary commands on CI/CD runners through malicious branch names. The vulnerability resides in the prettier-on-automerge GitHub Actions workflow, which insecurely interpolates PR branch names into shell commands. A public proof-of-concept exploit exists (disclosed via GitHub Gist), demonstrating feasibility despite CVSS 4.0 rating the complexity as high (AC:H) and exploitability as difficult. The vendor (Vercel) was notified but has not responded, and no patch availability is confirmed from vendor sources at time of analysis.
Technical ContextAI
This vulnerability affects the Vercel AI SDK's GitHub Actions CI/CD workflow configuration. The file .github/workflows/prettier-on-automerge.yml contains a run step that performs unsanitized string interpolation of GitHub pull request branch names into shell commands. CWE-78 (OS Command Injection) occurs when user-controlled data-in this case, the branch name chosen by a contributor-is passed directly to a shell interpreter without proper escaping or validation. GitHub Actions contexts like github.head_ref or github.event.pull_request.head.ref are treated as trusted inputs by many workflow authors, but these values are attacker-controllable when a user creates a pull request from a fork with a specially-crafted branch name. The CPE identifier cpe:2.3:a:vercel:ai:*:*:*:*:*:*:*:* confirms the affected product is the Vercel AI library/SDK itself, not a SaaS platform component. The CVSS 4.0 vector indicates network-based attack (AV:N), high complexity (AC:H), low privileges required (PR:L), and proof-of-concept exploit availability (E:P), with low confidentiality, integrity, and availability impacts (VC:L/VI:L/VA:L) scoped to the vulnerable component only (SC:N/SI:N/SA:N).
RemediationAI
No vendor-released patch version has been confirmed at time of analysis-Vercel was contacted during responsible disclosure but did not respond per VulDB submission 811402. Organizations should immediately implement compensating controls: First, audit all GitHub Actions workflows in the Vercel AI SDK repository for instances of unsanitized branch name or pull request title interpolation (search for github.head_ref, github.event.pull_request.head.ref, or similar context variables used in run: blocks without proper quoting). Second, modify the .github/workflows/prettier-on-automerge.yml workflow to sanitize inputs-replace direct interpolation with validated environment variables or use GitHub Actions expressions that automatically escape shell metacharacters. Third, restrict pull request workflow triggers to trusted branches only using pull_request_target with explicit paths and branches filters, and avoid checking out untrusted code in workflows with write permissions. Fourth, apply principle of least privilege to GitHub Actions workflows by using separate tokens with minimal scopes and avoiding storage of production credentials in CI secrets accessible to PR workflows. Note that disabling the prettier-on-automerge workflow entirely eliminates this attack surface but removes automated code formatting functionality. Monitor the upstream Vercel AI SDK repository (https://github.com/vercel/ai) for security advisories and patch releases beyond version 3.0.97. VulDB reference: https://vuldb.com/vuln/364392/cti
discourse-ai is the AI plugin for the open-source discussion platform Discourse. Rated high severity (CVSS 7.2), this vu
Server-side request forgery in Vercel AI SDK versions up to 3.0.97 allows remote unauthenticated attackers to forge requ
Resource exhaustion in Vercel AI SDK's provider-utils package (versions ≤3.0.97) allows authenticated remote attackers t
A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. Rated low severity (
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30714
GHSA-9pj2-3x6v-c3pp