Skip to content

Backport: fix(provider-utils): prevent unicode escape bypass in secureJsonParse#13083

Merged
vercel-ai-sdk[bot] merged 1 commit intorelease-v5.0from
backport-pr-13079-to-release-v5.0
Mar 5, 2026
Merged

Backport: fix(provider-utils): prevent unicode escape bypass in secureJsonParse#13083
vercel-ai-sdk[bot] merged 1 commit intorelease-v5.0from
backport-pr-13079-to-release-v5.0

Conversation

@vercel-ai-sdk
Copy link
Copy Markdown
Contributor

@vercel-ai-sdk vercel-ai-sdk bot commented Mar 5, 2026

This is an automated backport of #13079 to the release-v5.0 branch. FYI @gr2m

@gr2m @claude @vercel-ai-sdk
fix(provider-utils): prevent unicode escape bypass in secureJsonParse (
f005da7 
…#13079)

## Summary

- Update `secureJsonParse` regex patterns to detect unicode-escaped
variants of `__proto__` and `constructor` keys, preventing prototype
pollution bypass
- Aligns with the upstream fix in
[fastify/secure-json-parse](https://github.com/fastify/secure-json-parse)
- Add regression tests for partial and fully unicode-escaped key
variants

## Security

Resolves VULN-774. The previous regex fast-path only matched literal
`"__proto__"` and `"constructor"` strings. Unicode escapes (e.g.,
`\u005f\u005fproto__`) bypassed the regex gate, skipping the `filter()`
safety check, while `JSON.parse` still normalized them into dangerous
keys.

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
@vercel-ai-sdk vercel-ai-sdk bot enabled auto-merge (squash) March 5, 2026 00:05
@vercel-ai-sdk vercel-ai-sdk bot mentioned this pull request Mar 5, 2026
Merged
4 tasks
@tigent tigent bot added ai/provider related to a provider package. Must be assigned together with at least one `provider/*` label backport Admins only: add this label to a pull request in order to backport it to the prior version bug Something isn't working as documented labels Mar 5, 2026
@vercel-ai-sdk vercel-ai-sdk bot merged commit 17d64e3 into release-v5.0 Mar 5, 2026
28 checks passed
@vercel-ai-sdk vercel-ai-sdk bot deleted the backport-pr-13079-to-release-v5.0 branch March 5, 2026 00:13
vercel-ai-sdk bot added a commit that referenced this pull request Mar 5, 2026
@vercel-ai-sdk
Backport conflicts for PR #13083 to release-v4.3
f0a65eb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gr2m gr2m gr2m approved these changes

Assignees

@gr2m gr2m

Labels

ai/provider related to a provider package. Must be assigned together with at least one `provider/*` label backport Admins only: add this label to a pull request in order to backport it to the prior version bug Something isn't working as documented

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gr2m