Backport: fix(security): validate redirect targets in download functions to prevent SSRF bypass by vercel-ai-sdk[bot] · Pull Request #13127 · vercel/ai

vercel-ai-sdk · 2026-03-05T20:22:39Z

This is an automated backport of #13111 to the release-v6.0 branch. FYI @gr2m

…vent SSRF bypass (#13111) ## Background The existing `validateDownloadUrl` (added in #13085) only validates the initial URL before `fetch()`. Since `fetch()` follows HTTP redirects by default, an attacker can bypass SSRF protections by providing a safe-looking public URL that 302-redirects to internal endpoints (e.g., `http://169.254.169.254/latest/meta-data/`), enabling in-band response body exfiltration through the AI model's response. ## Summary Added `response.redirected` check with `validateDownloadUrl(response.url)` in both `downloadBlob` (`@ai-sdk/provider-utils`) and `download` (`ai`) functions to validate the final URL after following redirects, before reading the response body. ## Manual Verification - `pnpm vitest run packages/provider-utils/src/download-blob.test.ts` — 16 tests pass - `pnpm vitest run packages/provider-utils/src/validate-download-url.test.ts` — 29 tests pass - `pnpm vitest run packages/ai/src/util/download/download.test.ts -t "SSRF"` — 5 tests pass

vercel-ai-sdk · 2026-03-05T20:42:44Z

⚠️ Backport to release-v5.0 created but has conflicts: #13130

vercel-ai-sdk · 2026-03-05T21:06:25Z

🚀 Published in:

Package	Version
`ai`	`6.0.118`
`@ai-sdk/alibaba`	`1.0.11`
`@ai-sdk/amazon-bedrock`	`4.0.78`
`@ai-sdk/angular`	`2.0.119`
`@ai-sdk/anthropic`	`3.0.59`
`@ai-sdk/assemblyai`	`2.0.25`
`@ai-sdk/azure`	`3.0.44`
`@ai-sdk/baseten`	`1.0.39`
`@ai-sdk/black-forest-labs`	`1.0.25`
`@ai-sdk/bytedance`	`1.0.5`
`@ai-sdk/cerebras`	`2.0.40`
`@ai-sdk/cohere`	`3.0.26`
`@ai-sdk/deepgram`	`2.0.25`
`@ai-sdk/deepinfra`	`2.0.40`
`@ai-sdk/deepseek`	`2.0.25`
`@ai-sdk/elevenlabs`	`2.0.25`
`@ai-sdk/fal`	`2.0.26`
`@ai-sdk/fireworks`	`2.0.41`
`@ai-sdk/gateway`	`3.0.68`
`@ai-sdk/gladia`	`2.0.25`
`@ai-sdk/google`	`3.0.46`
`@ai-sdk/google-vertex`	`4.0.83`
`@ai-sdk/groq`	`3.0.30`
`@ai-sdk/huggingface`	`1.0.38`
`@ai-sdk/hume`	`2.0.25`
`@ai-sdk/klingai`	`3.0.9`
`@ai-sdk/langchain`	`2.0.124`
`@ai-sdk/llamaindex`	`2.0.118`
`@ai-sdk/lmnt`	`2.0.25`
`@ai-sdk/luma`	`2.0.25`
`@ai-sdk/mcp`	`1.0.26`
`@ai-sdk/mistral`	`3.0.25`
`@ai-sdk/moonshotai`	`2.0.11`
`@ai-sdk/open-responses`	`1.0.7`
`@ai-sdk/openai`	`3.0.43`
`@ai-sdk/openai-compatible`	`2.0.36`
`@ai-sdk/perplexity`	`3.0.24`
`@ai-sdk/prodia`	`1.0.22`
`@ai-sdk/provider-utils`	`4.0.20`
`@ai-sdk/react`	`3.0.120`
`@ai-sdk/replicate`	`2.0.25`
`@ai-sdk/revai`	`2.0.25`
`@ai-sdk/rsc`	`2.0.118`
`@ai-sdk/svelte`	`4.0.118`
`@ai-sdk/togetherai`	`2.0.40`
`@ai-sdk/valibot`	`2.0.21`
`@ai-sdk/vercel`	`2.0.38`
`@ai-sdk/vue`	`3.0.118`
`@ai-sdk/xai`	`3.0.68`

…oad functions to prevent SSRF bypass (#13130) This is an automated backport of #13127 to the release-v5.0 branch. --------- Co-authored-by: vercel-ai-sdk[bot] <225926702+vercel-ai-sdk[bot]@users.noreply.github.com> Co-authored-by: Gregor Martynus <39992+gr2m@users.noreply.github.com>

vercel-ai-sdk bot assigned gr2m Mar 5, 2026

vercel-ai-sdk bot enabled auto-merge (squash) March 5, 2026 20:22

vercel-ai-sdk bot mentioned this pull request Mar 5, 2026

fix(security): validate redirect targets in download functions to prevent SSRF bypass #13111

Merged

4 tasks

tigent bot added ai/core core functions like generateText, streamText, etc. Provider utils, and provider spec. ai/provider related to a provider package. Must be assigned together with at least one `provider/*` label bug Something isn't working as documented labels Mar 5, 2026

vercel bot deployed to Preview March 5, 2026 20:24 View deployment

gr2m approved these changes Mar 5, 2026

View reviewed changes

vercel-ai-sdk bot merged commit 64ac0fd into release-v6.0 Mar 5, 2026
26 checks passed

vercel-ai-sdk bot deleted the backport-pr-13111-to-release-v6.0 branch March 5, 2026 20:37

gr2m added the backport Admins only: add this label to a pull request in order to backport it to the prior version label Mar 5, 2026

vercel-ai-sdk bot added a commit that referenced this pull request Mar 5, 2026

Backport conflicts for PR #13127 to release-v5.0

4c91e0f

vercel-ai-sdk bot mentioned this pull request Mar 5, 2026

Backport: Backport: fix(security): validate redirect targets in download functions to prevent SSRF bypass #13130

Merged

vercel-ai-sdk bot removed the backport Admins only: add this label to a pull request in order to backport it to the prior version label Mar 5, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Backport: fix(security): validate redirect targets in download functions to prevent SSRF bypass#13127

Backport: fix(security): validate redirect targets in download functions to prevent SSRF bypass#13127
vercel-ai-sdk[bot] merged 1 commit intorelease-v6.0from
backport-pr-13111-to-release-v6.0

vercel-ai-sdk bot commented Mar 5, 2026

Uh oh!

Uh oh!

vercel-ai-sdk bot commented Mar 5, 2026

Uh oh!

vercel-ai-sdk bot commented Mar 5, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

vercel-ai-sdk bot commented Mar 5, 2026

Uh oh!

Uh oh!

vercel-ai-sdk bot commented Mar 5, 2026

Uh oh!

vercel-ai-sdk bot commented Mar 5, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant