修复 Vercel AI SDK 输入验证绕过漏洞 (CVE-2025-48985)

A low-severity security vulnerability in Vercel's AI SDK was responsibly disclosed, and has been fixed for 5.0.52, 6.0.0-beta.* The issue may have allowed users to bypass filetype whitelists when uploading files.

Vercel customers are encouraged to upgrade to the latest version. Read more details below.

Summary

Vulnerability in Vercel's AI SDK prompt conversion pipeline where improper URL-to-data mapping allows attackers to substitute arbitrary downloaded bytes for different supported URLs within the same prompt. The vulnerability occurs in the convert-to-language-model-prompt.ts file when filtering downloaded results could cause index misalignment between the downloadedFiles array and the original plannedDownloads array.

Impact

When processing mixed supported and unsupported URLs, the filtering operation removes null entries for supported URLs, causing the remaining downloaded data to be incorrectly associated with different URL keys. This results in bytes from an unsupported URL being mapped to a supported URL slot, allowing attackers to inject arbitrary content while bypassing URL-based trust and content validation mechanisms.

This affects most methods that accepted images or files as inputs, unless explicit data validation was implemented outside of the SDK. Namely the generateText() and streamText() functions.

Resolution

The issue was resolved by mapping files before filtering out empty ones to retain the correct index in:

• 5.0.52

• 6.0.0-beta.*

Workarounds

• Implementing custom filetype validation logic outside of the SDK.

Credit

Thanks to @aphantom for responsible disclosure.

References

• https://github.com/vercel/ai/issues/8881

• https://www.cve.org/CVERecord?id=CVE-2025-48985

Read more