Skip to main content

Vercel AI SDK CVE-2026-8768

| EUVDEUVD-2026-30713 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-17 cna@vuldb.com GHSA-8rqj-9gxc-63cr
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 17, 2026 - 23:30 vuln.today

DescriptionCVE.org

A vulnerability was found in vercel ai up to 3.0.97. The affected element is the function validateDownloadUrl of the file packages/provider-utils/src/download-blob.ts of the component provider-utils. The manipulation results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Server-side request forgery in Vercel AI SDK versions up to 3.0.97 allows remote unauthenticated attackers to forge requests from the server to arbitrary internal or external resources via the validateDownloadUrl function in provider-utils. Publicly available exploit code exists (CVSS E:P). EPSS data not available, not listed in CISA KEV. Vendor unresponsive to disclosure, indicating no official patch or advisory at time of analysis. Organizations using affected versions for AI model downloads or blob handling should implement immediate compensating controls.

Technical ContextAI

The vulnerability affects the provider-utils package component of the Vercel AI SDK, specifically within the validateDownloadUrl function in packages/provider-utils/src/download-blob.ts. This function likely handles validation and fetching of AI model files or other blob resources from URLs. CWE-918 (Server-Side Request Forgery) indicates insufficient validation of user-supplied URLs before the server makes HTTP requests, enabling attackers to manipulate the server into accessing unintended destinations. SSRF vulnerabilities in AI SDK contexts are particularly concerning because model download functionality often requires fetching large files from remote sources, creating a broad attack surface. The provider-utils component suggests this affects multiple AI provider integrations within the SDK ecosystem.

RemediationAI

No vendor-released patch identified at time of analysis - Vercel did not respond to coordinated disclosure. Immediate compensating controls required: First, implement strict URL allowlisting at the application layer before calls to validateDownloadUrl, permitting only trusted AI model hosting domains (e.g., specific AWS S3 buckets, Hugging Face CDN endpoints). Trade-off: breaks workflows requiring dynamic model sources. Second, deploy egress filtering at network layer to block server access to RFC 1918 private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost (127.0.0.0/8), link-local addresses (169.254.0.0/16), and cloud metadata endpoints (169.254.169.254). Trade-off: may disrupt legitimate internal API calls. Third, if using cloud infrastructure, enforce IMDSv2 (AWS) or equivalent metadata protections (Azure, GCP) to mitigate credential theft via SSRF. Consider temporarily replacing provider-utils blob download functionality with custom implementation using battle-tested HTTP client libraries with SSRF protections (e.g., axios with strict redirects disabled and IP validation). Monitor Vercel's GitHub repository (vercel/ai) for community-driven patches or forks. Reference technical analysis at https://gist.github.com/YLChen-007/07d149bd68adbee58165b4207a2abc71 for exploitation vectors to inform defensive measures.

Share

CVE-2026-8768 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy