| Titre | vercel ai @ai-sdk/[email protected] Server-Side Request Forgery (SSRF) (CWE-918) |
|---|
| Description | # Technical Details
A Blind Server-Side Request Forgery (SSRF) bypass vulnerability exists in the `downloadBlob` method in `packages/provider-utils/src/download-blob.ts` of vercel/ai.
The application fails to completely enforce an IP blacklisting mechanism because the native `fetch()` API behaves with `redirect: 'follow'`. Remote attackers can send an image URL linking to a public server they control (like `httpbin.org/redirect-to`), which bypasses the initial public IP static checks but forces `fetch()` to follow HTTP 302 redirects toward otherwise forbidden loopback interfaces (`127.0.0.1`).
# Vulnerable Code
File: packages/provider-utils/src/download-blob.ts
Method: downloadBlob
Why: Initial blacklist evaluations successfully parse public target endpoints as benign. However, subsequent native `fetch()` calls will route following HTTP redirects to internal systems. Post-flight URL verification evaluates too late to prevent the network call implementation.
# Reproduction
1. Initiate a public URL webserver or rely on an Open Redirect service configured to route responses to `http://127.0.0.1:8080/secret-path`.
2. Find the AI application boundary processing endpoints which accept URLs (for instance, the SDK AI endpoint resolving uploaded images).
3. Post the public proxy URL (`http://httpbin.org/redirect-to?url=http%3A%2F%2F127.0.0.1...`).
4. The destination HTTP GET payload will reach the `127.0.0.1` internal application listener.
# Impact
- SSRF Traversal: Allows issuing arbitrary GET requests to internal/local components.
- Mutating states on unprotected internal microservices, AWS Metadata, and docker daemons. |
|---|
| La source | ⚠️ https://gist.github.com/YLChen-007/07d149bd68adbee58165b4207a2abc71 |
|---|
| Utilisateur | Eric-f (UID 96873) |
|---|
| Soumission | 23/04/2026 14:47 (il y a 1 mois) |
|---|
| Modérer | 17/05/2026 11:28 (24 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 364393 [vercel ai jusqu’à 3.0.97 provider-utils download-blob.ts validateDownloadUrl élévation de privilèges] |
|---|
| Points | 20 |
|---|