logo

Database

Server-side request forgery (SSRF) In pydantic-ai-slim

Description

Pydantic AI has Server-Side Request Forgery (SSRF) in URL Download Handling

Summary

A Server-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials.

This vulnerability only affects applications that accept message history from external users, such as those using:

    Agent.to_web or clai web to serve a chat interface

    VercelAIAdapter for Vercel AI SDK integration

    AGUIAdapter or Agent.to_ag_ui for AG-UI protocol integration

    Custom APIs that accept message history from user input

Applications that only use hardcoded or developer-controlled URLs are not affected.

Description

The download_item() helper function downloads content from URLs without validating that the target is a public internet address. When user-supplied message history contains URLs, attackers can:

    Access internal services: Request http://127.0.0.1, localhost, or private IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)

    Steal cloud credentials: Access cloud metadata endpoints (AWS IMDSv1 at 169.254.169.254, GCP, Azure, Alibaba Cloud)

    Scan internal networks: Enumerate internal hosts and ports

Who Is Affected

You are affected if your application:

    Uses Agent.to_web or clai web - The web interface accepts file attachments via the Vercel AI Data Stream Protocol, where users can provide arbitrary URLs through chat messages.

    Uses VercelAIAdapter - Chat interfaces built with Vercel AI SDK allow users to submit messages containing URLs that are processed server-side.

    Uses AGUIAdapter or Agent.to_ag_ui - The AG-UI protocol allows users to provide file references with URLs as part of agent interactions.

    Exposes a custom API accepting message history - Any endpoint that accepts message history or ImageUrl, AudioUrl, VideoUrl, DocumentUrl objects from user input.

Attack Scenario

Via chat interface, an attacker submits a message with a file attachment pointing to an internal resource:

{
  "role": "user",
  "parts": [
    {"type": "file", "mediaType": "image/png", "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}
  ]
}

Affected Model Integrations

Multiple model integrations download URL content in certain conditions:

Provider
Downloaded Types

Remediation

Upgrade to Patched Version

Upgrade to the patched version or later. The fix adds comprehensive SSRF protection:

    Blocks private/internal IP addresses by default

    Always blocks cloud metadata endpoints (even with allow-local)

    Only allows http:// and https:// protocols

    Resolves hostnames before requests to prevent DNS rebinding

    Validates each redirect target

New force_download='allow-local' Option

If an application legitimately needs to access local/private network resources (e.g., in a fully trusted internal environment), it can explicitly opt in:

from pydantic_ai import ImageUrl

# Default behavior: private IPs are blocked
ImageUrl(url="http://internal-service/image.png")  # Raises ValueError

# Opt-in to allow local access (use with caution)
ImageUrl(url="http://internal-service/image.png", force_download='allow-local')

Important: Cloud metadata endpoints (169.254.169.254, fd00:ec2::254, 100.100.100.200) are always blocked, even with allow-local.

Workaround for Older Versions

If a project cannot upgrade immediately, use a history processor to filter out URLs targeting local/private addresses:

import ipaddress
import socket
from urllib.parse import urlparse

from pydantic_ai import Agent, ModelMessage, ModelRequest
from pydantic_ai.messages import AudioUrl, DocumentUrl, ImageUrl, VideoUrl

def is_private_url(url: str) -> bool:...

Technical Details of the Fix

The fix introduces a new _ssrf.py module with comprehensive protection:

    Protocol validation: Only http:// and https:// allowed

    DNS resolution before request: Prevents DNS rebinding attacks

    Private IP blocking (by default):

      127.0.0.0/8, ::1/128 (loopback)

      10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 (private)

      169.254.0.0/16, fe80::/10 (link-local)

      100.64.0.0/10 (CGNAT)

      fc00::/7 (unique local)

      2002::/16 (6to4, can embed private IPv4)

    Cloud metadata always blocked: 169.254.169.254, fd00:ec2::254, 100.100.100.200

    Safe redirect handling: Each redirect validated before following (max 10)

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-255802. NVD-2026-255803. OSV-2026-255804. GHSA-2jrp-274c-jhv35. GCVE-2026-25580

References

1. https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv32. https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.