CVE-2026-25640 in pydantic-ai
Summary
by MITRE • 02/06/2026
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 1.34.0 to before 1.51.0, a path traversal vulnerability in the Pydantic AI web UI allows an attacker to serve arbitrary JavaScript in the context of the application by crafting a malicious URL. In affected versions, the CDN URL is constructed using a version query parameter from the request URL. This parameter is not validated, allowing path traversal sequences that cause the server to fetch and serve attacker-controlled HTML/JavaScript from an arbitrary source on the same CDN, instead of the legitimate chat UI package. If a victim clicks the link or visits it via an iframe, attacker-controlled code executes in their browser, enabling theft of chat history and other client-side data. This vulnerability only affects applications that use Agent.to_web to serve a chat interface and clai web to serve a chat interface from the CLI. These are typically run locally (on localhost), but may also be deployed on a remote server. This vulnerability is fixed in 1.51.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/21/2026
The vulnerability identified as CVE-2026-25640 affects Pydantic AI, a Python framework designed for building generative AI applications and workflows. This security flaw exists within the web user interface component of the framework and specifically impacts versions between 1.34.0 and before 1.51.0. The vulnerability stems from improper input validation in the content delivery network configuration where the framework constructs CDN URLs using version query parameters extracted from HTTP request URLs. This design flaw creates a path traversal condition that allows attackers to manipulate the URL parameters to redirect the application's content delivery mechanism to fetch and serve malicious JavaScript code from arbitrary sources within the same CDN infrastructure rather than the legitimate chat interface package.
The technical exploitation of this vulnerability relies on the framework's failure to validate the version query parameter, which creates a classic path traversal attack vector. When an attacker crafts a malicious URL with specially constructed path traversal sequences, the application processes these unvalidated parameters and constructs a CDN request that bypasses normal security boundaries. This allows the server to retrieve and serve attacker-controlled HTML and JavaScript content instead of the intended application interface. The vulnerability specifically affects applications that utilize the Agent.to_web method for serving chat interfaces or the clai web command for CLI-based interface serving, both of which are typically deployed locally on localhost but can also be configured for remote server deployments. The attack surface is particularly concerning because it enables the execution of arbitrary code within the victim's browser context, creating a severe client-side security risk.
The operational impact of this vulnerability extends beyond simple code execution, as it creates a persistent threat for users who interact with the affected applications. When victims click on malicious links or view them within iframes, attacker-controlled JavaScript executes in their browser environment, potentially compromising their chat history and other sensitive client-side data. This type of vulnerability falls under the CWE-23 path traversal category, which specifically addresses improper input validation that allows attackers to traverse directory structures and access unauthorized resources. The attack pattern aligns with ATT&CK technique T1566.001, which covers the use of malicious links to deliver malware or execute unauthorized code. The vulnerability's severity is amplified by its ability to affect both local development environments and remote server deployments, making it a critical concern for organizations using Pydantic AI in production settings.
Organizations using affected versions of Pydantic AI should immediately upgrade to version 1.51.0 or later to remediate this vulnerability. The fix addresses the core validation issue by implementing proper input sanitization for version query parameters before they are used to construct CDN URLs. Security teams should also conduct comprehensive audits of their Pydantic AI deployments to identify any potentially compromised installations and ensure that all applications using the Agent.to_web or clai web functionality have been updated. Additionally, organizations should consider implementing network monitoring to detect unusual CDN access patterns that might indicate exploitation attempts, and should review their application deployment configurations to ensure that development and production environments are properly isolated. The vulnerability serves as a reminder of the critical importance of input validation in web applications, particularly when dealing with user-provided parameters that influence content delivery mechanisms.