Backport: fix: allow inline data URLs in download validation (#13624)

vercel-ai-sdk[bot] · fahe1em1 · gr2m · web-flow · commit 0469aed21998 · 2026-04-02T20:41:39.000Z
This is an automated backport of #13376 to the release-v6.0 branch. FYI @fahe1em1 --------- Co-authored-by: fahe1em1 <131003503+fahe1em1@users.noreply.github.com> Co-authored-by: Gregor Martynus <39992+gr2m@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/.changeset/allow-data-urls-download.md b/.changeset/allow-data-urls-download.md
@@ -0,0 +1,6 @@
+---
+'@ai-sdk/provider-utils': patch
+'ai': patch
+---
+
+fix: allow inline data URLs in download validation
diff --git a/packages/ai/src/util/download/download.test.ts b/packages/ai/src/util/download/download.test.ts
@@ -137,6 +137,15 @@ describe('download', () => {
     );
   });
 
+  it('should allow inline data URLs', async () => {
+    const result = await download({
+      url: new URL('data:text/plain;base64,aGVsbG8='),
+    });
+
+    expect(result.data).toEqual(new TextEncoder().encode('hello'));
+    expect(result.mediaType).toBe('text/plain');
+  });
+
   it('should throw DownloadError when response is not ok', async () => {
     globalThis.fetch = vi.fn().mockResolvedValue({
       ok: false,
diff --git a/packages/provider-utils/src/validate-download-url.test.ts b/packages/provider-utils/src/validate-download-url.test.ts
@@ -27,6 +27,12 @@ describe('validateDownloadUrl', () => {
         validateDownloadUrl('https://example.com:8080/file'),
       ).not.toThrow();
     });
+
+    it('should allow data URLs', () => {
+      expect(() =>
+        validateDownloadUrl('data:text/plain;base64,aGVsbG8='),
+      ).not.toThrow();
+    });
   });
 
   describe('blocked protocols', () => {
@@ -47,12 +53,6 @@ describe('validateDownloadUrl', () => {
         DownloadError,
       );
     });
-
-    it('should block data: URLs', () => {
-      expect(() => validateDownloadUrl('data:text/plain,hello')).toThrow(
-        DownloadError,
-      );
-    });
   });
 
   describe('malformed URLs', () => {
diff --git a/packages/provider-utils/src/validate-download-url.ts b/packages/provider-utils/src/validate-download-url.ts
@@ -18,11 +18,16 @@ export function validateDownloadUrl(url: string): void {
     });
   }
 
-  // Only allow http and https protocols
+  // data: URLs are inline content, so they do not trigger a network fetch or SSRF risk.
+  if (parsed.protocol === 'data:') {
+    return;
+  }
+
+  // Only allow http and https network protocols
   if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
     throw new DownloadError({
       url,
-      message: `URL scheme must be http or https, got ${parsed.protocol}`,
+      message: `URL scheme must be http, https, or data, got ${parsed.protocol}`,
     });
   }
 
