Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in vercel ai up to 3.0.97. The affected element is the function validateDownloadUrl of the file packages/provider-utils/src/download-blob.ts of the component provider-utils. The manipulation results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Server-side request forgery in Vercel AI SDK versions up to 3.0.97 allows remote unauthenticated attackers to forge requests from the server to arbitrary internal or external resources via the validateDownloadUrl function in provider-utils. Publicly available exploit code exists (CVSS E:P). EPSS data not available, not listed in CISA KEV. Vendor unresponsive to disclosure, indicating no official patch or advisory at time of analysis. Organizations using affected versions for AI model downloads or blob handling should implement immediate compensating controls.
Technical ContextAI
The vulnerability affects the provider-utils package component of the Vercel AI SDK, specifically within the validateDownloadUrl function in packages/provider-utils/src/download-blob.ts. This function likely handles validation and fetching of AI model files or other blob resources from URLs. CWE-918 (Server-Side Request Forgery) indicates insufficient validation of user-supplied URLs before the server makes HTTP requests, enabling attackers to manipulate the server into accessing unintended destinations. SSRF vulnerabilities in AI SDK contexts are particularly concerning because model download functionality often requires fetching large files from remote sources, creating a broad attack surface. The provider-utils component suggests this affects multiple AI provider integrations within the SDK ecosystem.
RemediationAI
No vendor-released patch identified at time of analysis - Vercel did not respond to coordinated disclosure. Immediate compensating controls required: First, implement strict URL allowlisting at the application layer before calls to validateDownloadUrl, permitting only trusted AI model hosting domains (e.g., specific AWS S3 buckets, Hugging Face CDN endpoints). Trade-off: breaks workflows requiring dynamic model sources. Second, deploy egress filtering at network layer to block server access to RFC 1918 private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost (127.0.0.0/8), link-local addresses (169.254.0.0/16), and cloud metadata endpoints (169.254.169.254). Trade-off: may disrupt legitimate internal API calls. Third, if using cloud infrastructure, enforce IMDSv2 (AWS) or equivalent metadata protections (Azure, GCP) to mitigate credential theft via SSRF. Consider temporarily replacing provider-utils blob download functionality with custom implementation using battle-tested HTTP client libraries with SSRF protections (e.g., axios with strict redirects disabled and IP validation). Monitor Vercel's GitHub repository (vercel/ai) for community-driven patches or forks. Reference technical analysis at https://gist.github.com/YLChen-007/07d149bd68adbee58165b4207a2abc71 for exploitation vectors to inform defensive measures.
discourse-ai is the AI plugin for the open-source discussion platform Discourse. Rated high severity (CVSS 7.2), this vu
OS command injection in Vercel AI SDK versions up to 3.0.97 allows authenticated remote attackers with pull request crea
Resource exhaustion in Vercel AI SDK's provider-utils package (versions ≤3.0.97) allows authenticated remote attackers t
A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. Rated low severity (
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30713
GHSA-8rqj-9gxc-63cr