| Title | vercel ai @ai-sdk/[email protected] Server-Side Request Forgery (SSRF) (CWE-918) |
|---|
| Description | # Technical Details
A Blind Server-Side Request Forgery (SSRF) bypass vulnerability exists in the `downloadBlob` method in `packages/provider-utils/src/download-blob.ts` of vercel/ai.
The application fails to completely enforce an IP blacklisting mechanism because the native `fetch()` API behaves with `redirect: 'follow'`. Remote attackers can send an image URL linking to a public server they control (like `httpbin.org/redirect-to`), which bypasses the initial public IP static checks but forces `fetch()` to follow HTTP 302 redirects toward otherwise forbidden loopback interfaces (`127.0.0.1`).
# Vulnerable Code
File: packages/provider-utils/src/download-blob.ts
Method: downloadBlob
Why: Initial blacklist evaluations successfully parse public target endpoints as benign. However, subsequent native `fetch()` calls will route following HTTP redirects to internal systems. Post-flight URL verification evaluates too late to prevent the network call implementation.
# Reproduction
1. Initiate a public URL webserver or rely on an Open Redirect service configured to route responses to `http://127.0.0.1:8080/secret-path`.
2. Find the AI application boundary processing endpoints which accept URLs (for instance, the SDK AI endpoint resolving uploaded images).
3. Post the public proxy URL (`http://httpbin.org/redirect-to?url=http%3A%2F%2F127.0.0.1...`).
4. The destination HTTP GET payload will reach the `127.0.0.1` internal application listener.
# Impact
- SSRF Traversal: Allows issuing arbitrary GET requests to internal/local components.
- Mutating states on unprotected internal microservices, AWS Metadata, and docker daemons. |
|---|
| Source | ⚠️ https://gist.github.com/YLChen-007/07d149bd68adbee58165b4207a2abc71 |
|---|
| User | Eric-f (UID 96873) |
|---|
| Submission | 04/23/2026 14:47 (3 months ago) |
|---|
| Moderation | 05/17/2026 11:28 (24 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 364393 [vercel ai up to 3.0.97 provider-utils download-blob.ts validateDownloadUrl server-side request forgery] |
|---|
| Points | 20 |
|---|