| 标题 | vercel ai @ai-sdk/[email protected] Server-Side Request Forgery (SSRF) (CWE-918) |
|---|
| 描述 | # Technical Details
A Blind Server-Side Request Forgery (SSRF) bypass vulnerability exists in the `downloadBlob` method in `packages/provider-utils/src/download-blob.ts` of vercel/ai.
The application fails to completely enforce an IP blacklisting mechanism because the native `fetch()` API behaves with `redirect: 'follow'`. Remote attackers can send an image URL linking to a public server they control (like `httpbin.org/redirect-to`), which bypasses the initial public IP static checks but forces `fetch()` to follow HTTP 302 redirects toward otherwise forbidden loopback interfaces (`127.0.0.1`).
# Vulnerable Code
File: packages/provider-utils/src/download-blob.ts
Method: downloadBlob
Why: Initial blacklist evaluations successfully parse public target endpoints as benign. However, subsequent native `fetch()` calls will route following HTTP redirects to internal systems. Post-flight URL verification evaluates too late to prevent the network call implementation.
# Reproduction
1. Initiate a public URL webserver or rely on an Open Redirect service configured to route responses to `http://127.0.0.1:8080/secret-path`.
2. Find the AI application boundary processing endpoints which accept URLs (for instance, the SDK AI endpoint resolving uploaded images).
3. Post the public proxy URL (`http://httpbin.org/redirect-to?url=http%3A%2F%2F127.0.0.1...`).
4. The destination HTTP GET payload will reach the `127.0.0.1` internal application listener.
# Impact
- SSRF Traversal: Allows issuing arbitrary GET requests to internal/local components.
- Mutating states on unprotected internal microservices, AWS Metadata, and docker daemons. |
|---|
| 来源 | ⚠️ https://gist.github.com/YLChen-007/07d149bd68adbee58165b4207a2abc71 |
|---|
| 用户 | Eric-f (UID 96873) |
|---|
| 提交 | 2026-04-23 14時47分 (1 月前) |
|---|
| 管理 | 2026-05-17 11時28分 (24 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 364393 [vercel ai 直到 3.0.97 provider-utils download-blob.ts validateDownloadUrl 权限提升] |
|---|
| 积分 | 20 |
|---|