PT-2026-6846 · Pypi · Pydantic-Ai+1
New
Published
2026-02-06
·
Updated
2026-02-06
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials.
This vulnerability only affects applications that accept message history from external users, such as those using:
Agent.to weborclai webto serve a chat interfaceVercelAIAdapterfor Vercel AI SDK integrationAGUIAdapterorAgent.to ag uifor AG-UI protocol integration- Custom APIs that accept message history from user input
Applications that only use hardcoded or developer-controlled URLs are not affected.
Description
The
download item() helper function downloads content from URLs without validating that the target is a public internet address. When user-supplied message history contains URLs, attackers can:- Access internal services: Request
http://127.0.0.1,localhost, or private IP ranges (10.x.x.x,172.16.x.x,192.168.x.x) - Steal cloud credentials: Access cloud metadata endpoints (AWS IMDSv1 at
169.254.169.254, GCP, Azure, Alibaba Cloud) - Scan internal networks: Enumerate internal hosts and ports
Who Is Affected
You are affected if your application:
-
Uses
Agent.to weborclai web- The web interface accepts file attachments via the Vercel AI Data Stream Protocol, where users can provide arbitrary URLs through chat messages. -
Uses
VercelAIAdapter- Chat interfaces built with Vercel AI SDK allow users to submit messages containing URLs that are processed server-side. -
Uses
AGUIAdapterorAgent.to ag ui- The AG-UI protocol allows users to provide file references with URLs as part of agent interactions. -
Exposes a custom API accepting message history - Any endpoint that accepts message history or
ImageUrl,AudioUrl,VideoUrl,DocumentUrlobjects from user input.
Attack Scenario
Via chat interface, an attacker submits a message with a file attachment pointing to an internal resource:
{
"role": "user",
"parts": [
{"type": "file", "mediaType": "image/png", "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}
]
}Affected Model Integrations
Multiple model integrations download URL content in certain conditions:
| Provider | Downloaded Types |
|---|---|
OpenAIChatModel | AudioUrl, DocumentUrl |
AnthropicModel | DocumentUrl (text/plain) |
GoogleModel (GLA) | All URL types (except YouTube and Files API URLs) |
XaiModel | DocumentUrl |
BedrockConverseModel | ImageUrl, DocumentUrl, VideoUrl (non-S3 URLs) |
OpenRouterModel | AudioUrl |
Remediation
Upgrade to Patched Version
Upgrade to the patched version or later. The fix adds comprehensive SSRF protection:
- Blocks private/internal IP addresses by default
- Always blocks cloud metadata endpoints (even with
allow-local) - Only allows
http://andhttps://protocols - Resolves hostnames before requests to prevent DNS rebinding
- Validates each redirect target
New force download='allow-local' Option
If an application legitimately needs to access local/private network resources (e.g., in a fully trusted internal environment), it can explicitly opt in:
from pydantic ai import ImageUrl
# Default behavior: private IPs are blocked
ImageUrl(url="http://internal-service/image.png") # Raises ValueError
# Opt-in to allow local access (use with caution)
ImageUrl(url="http://internal-service/image.png", force download='allow-local')Important: Cloud metadata endpoints (
169.254.169.254, fd00:ec2::254, 100.100.100.200) are always blocked, even with allow-local.Workaround for Older Versions
If a project cannot upgrade immediately, use a history processor to filter out URLs targeting local/private addresses:
import ipaddress
import socket
from urllib.parse import urlparse
from pydantic ai import Agent, ModelMessage, ModelRequest
from pydantic ai.messages import AudioUrl, DocumentUrl, ImageUrl, VideoUrl
def is private url(url: str) -> bool:
"""Check if a URL targets a private/internal IP address."""
try:
parsed = urlparse(url)
hostname = parsed.hostname
if not hostname:
return True # Invalid URL, block it
# Resolve hostname to IP
ip str = socket.gethostbyname(hostname)
ip = ipaddress.ip address(ip str)
# Block private, loopback, and link-local addresses
return ip.is private or ip.is loopback or ip.is link local
except (socket.gaierror, ValueError):
return True # DNS resolution failed, block it
def filter private urls(messages: list[ModelMessage]) -> list[ModelMessage]:
"""Remove URL parts that target private/internal addresses."""
url types = (ImageUrl, AudioUrl, VideoUrl, DocumentUrl)
filtered = []
for msg in messages:
if isinstance(msg, ModelRequest):
safe parts = [
part for part in msg.parts
if not (isinstance(part, url types) and is private url(part.url))
]
if safe parts:
filtered.append(ModelRequest(parts=safe parts))
else:
filtered.append(msg)
return filtered
# Apply the filter to your agent
agent = Agent('openai:gpt-5', history processors=[filter private urls])Technical Details of the Fix
The fix introduces a new
ssrf.py module with comprehensive protection:- Protocol validation: Only
http://andhttps://allowed - DNS resolution before request: Prevents DNS rebinding attacks
- Private IP blocking (by default):
127.0.0.0/8,::1/128(loopback)10.0.0.0/8,172.16.0.0/12,192.168.0.0/16(private)169.254.0.0/16,fe80::/10(link-local)100.64.0.0/10(CGNAT)fc00::/7(unique local)2002::/16(6to4, can embed private IPv4)
- Cloud metadata always blocked:
169.254.169.254,fd00:ec2::254,100.100.100.200 - Safe redirect handling: Each redirect validated before following (max 10)
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pydantic-Ai
Pydantic-Ai-Slim