| Título | vercel ai @ai-sdk/[email protected] Server-Side Request Forgery (SSRF) (CWE-918) |
|---|
| Descripción | # Technical Details
A Blind Server-Side Request Forgery (SSRF) bypass vulnerability exists in the `downloadBlob` method in `packages/provider-utils/src/download-blob.ts` of vercel/ai.
The application fails to prevent malicious HTTP redirects from communicating with internal architectures. The `validateDownloadUrl` function enforces SSRF IP blocklists stringently on the primary passed URL, but fails to accommodate the native Node.js `fetch()` mechanism dynamically executing 3xx HTTP redirects back to internal networks before performing post-flight validations.
# Vulnerable Code
File: packages/provider-utils/src/download-blob.ts
Method: downloadBlob
Why: An inherent Time-of-Check to Time-of-Use logic error. `fetch()` conducts automatic transparent redirect following, so by the time `if (response.redirected) validateDownloadUrl(response.url)` invokes, the `GET` request has already effectively landed on the private/internal target.
# Reproduction
1. Start an attacker-controlled HTTP server configured to return HTTP 302 redirects with a `Location` header to `http://127.0.0.1:9091/admin/delete`.
2. Formulate and submit an image fetch request payload pointing toward the external attacker IP.
3. The SDK logic successfully skips initial constraints, triggering the `fetch()`. The attacker server answers 302, bouncing the Node logic cleanly into executing the internal request path successfully.
# Impact
- Internal State Alteration: Capable of triggering arbitrary state-changing HTTP GET paths on loopback administrative APIs without authorization.
- Disclosure risks toward unpatched AWS Metadata endpoint architectures. |
|---|
| Fuente | ⚠️ https://gist.github.com/YLChen-007/cf7e47e4dda392f474ca77a66d1d847f |
|---|
| Usuario | Eric-f (UID 96873) |
|---|
| Sumisión | 2026-04-23 14:47 (hace 1 mes) |
|---|
| Moderación | 2026-05-17 11:28 (24 days later) |
|---|
| Estado | Duplicado |
|---|
| Entrada de VulDB | 364393 [vercel ai hasta 3.0.97 provider-utils download-blob.ts validateDownloadUrl escalada de privilegios] |
|---|
| Puntos | 0 |
|---|