A low-severity security vulnerability in Vercel's AI SDK was responsibly disclosed, and has been fixed for 5.0.52, 6.0.0-beta.* The issue may have allowed users to bypass filetype whitelists when uploading files.
Vercel customers are encouraged to upgrade to the latest version. Read more details below.
Link to headingSummary
Vulnerability in Vercel's AI SDK prompt conversion pipeline where improper URL-to-data mapping allows attackers to substitute arbitrary downloaded bytes for different supported URLs within the same prompt. The vulnerability occurs in the convert-to-language-model-prompt.ts file when filtering downloaded results could cause index misalignment between the downloadedFiles array and the original plannedDownloads array.
Link to headingImpact
When processing mixed supported and unsupported URLs, the filtering operation removes null entries for supported URLs, causing the remaining downloaded data to be incorrectly associated with different URL keys. This results in bytes from an unsupported URL being mapped to a supported URL slot, allowing attackers to inject arbitrary content while bypassing URL-based trust and content validation mechanisms.
This affects most methods that accepted images or files as inputs, unless explicit data validation was implemented outside of the SDK. Namely the generateText() and streamText() functions.
Link to headingResolution
The issue was resolved by mapping files before filtering out empty ones to retain the correct index in:
5.0.52
6.0.0-beta.*
Link to headingWorkarounds
Implementing custom filetype validation logic outside of the SDK.
Link to headingCredit
Thanks to @aphantom for responsible disclosure.