### Key Information #### Summary - **Vulnerability Type**: Server-Side Request Forgery (SSRF) - **Affected Versions**: - `pydantic-ai`: >= 0.0.26 - `pydantic-ai-slim`: >= 0.0.26 - **Fixed Versions**: - `pydantic-ai`: 1.56.0 - `pydantic-ai-slim`: 1.56.0 - **Description**: The URL download feature in Pydantic AI contains an SSRF vulnerability, allowing attackers to access internal resources and cloud credentials via malicious URLs embedded in message histories. #### Affected Applications - Applications using `Agent.to_web` or `clai_web` extensions for chat interfaces. - Applications integrating Vercel AI SDK via `VercelAIAdapter`. - Applications using AG-UI protocol integration via `AGUIAdapter` or `Agent.to_ag_ui`. - Custom APIs that accept user-provided message histories. #### Attack Scenario - Submitting a file attachment message via chat interface pointing to internal resources. #### Affected Model Integrations - OpenAIChatModel: AudioUrl, DocumentUrl - AnthropicModel: DocumentUrl (text/plain) - GoogleModel (GLA): All types except YouTube and Files API URLs - XaiModel: DocumentUrl - BedrockConverseModel: ImageUrl, DocumentUrl, VideoUrl (non-S3 URLs) - OpenRouterModel: AudioUrl #### Mitigation - **Upgrade to Fixed Version**: Blocks private/internal IP addresses, cloud metadata endpoints, and restricts to HTTP/HTTPS protocols only. - **`force_download='allow-local'` Option**: Enables local access in fully trusted internal environments. - **Workaround for Older Versions**: Use `history_processor` to filter URLs. #### Technical Fix Details - Introduced `_ssrf.py` module, implementing protocol validation, DNS resolution checks, private IP blocking, cloud metadata endpoint blocking, and secure redirect handling.