| Название | vercel ai @ai-sdk/[email protected] Server-Side Request Forgery (SSRF) (CWE-918) |
|---|
| Описание | # Technical Details
A Blind Server-Side Request Forgery (SSRF) bypass vulnerability exists in the `downloadBlob` method in `packages/provider-utils/src/download-blob.ts` of vercel/ai.
The application fails to completely enforce an IP blacklisting mechanism because the native `fetch()` API behaves with `redirect: 'follow'`. Remote attackers can send an image URL linking to a public server they control (like `httpbin.org/redirect-to`), which bypasses the initial public IP static checks but forces `fetch()` to follow HTTP 302 redirects toward otherwise forbidden loopback interfaces (`127.0.0.1`).
# Vulnerable Code
File: packages/provider-utils/src/download-blob.ts
Method: downloadBlob
Why: Initial blacklist evaluations successfully parse public target endpoints as benign. However, subsequent native `fetch()` calls will route following HTTP redirects to internal systems. Post-flight URL verification evaluates too late to prevent the network call implementation.
# Reproduction
1. Initiate a public URL webserver or rely on an Open Redirect service configured to route responses to `http://127.0.0.1:8080/secret-path`.
2. Find the AI application boundary processing endpoints which accept URLs (for instance, the SDK AI endpoint resolving uploaded images).
3. Post the public proxy URL (`http://httpbin.org/redirect-to?url=http%3A%2F%2F127.0.0.1...`).
4. The destination HTTP GET payload will reach the `127.0.0.1` internal application listener.
# Impact
- SSRF Traversal: Allows issuing arbitrary GET requests to internal/local components.
- Mutating states on unprotected internal microservices, AWS Metadata, and docker daemons. |
|---|
| Источник | ⚠️ https://gist.github.com/YLChen-007/07d149bd68adbee58165b4207a2abc71 |
|---|
| Пользователь | Eric-f (UID 96873) |
|---|
| Представление | 23.04.2026 14:47 (2 месяцы назад) |
|---|
| Модерация | 17.05.2026 11:28 (24 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 364393 [vercel ai до 3.0.97 provider-utils download-blob.ts validateDownloadUrl эскалация привилегий] |
|---|
| Баллы | 20 |
|---|