Vulnerability-Lookup

CVE-2026-25580 (GCVE-0-2026-25580)

Vulnerability from cvelistv5 – Published: 2026-02-06 21:01 – Updated: 2026-06-30 12:06

Title

Pydantic AI Affected by Server-Side Request Forgery (SSRF) in URL Download Handling

Summary

Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0.

Severity

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

5 references

URL	Tags
https://github.com/pydantic/pydantic-ai/security/…	x_refsource_CONFIRM
https://github.com/pydantic/pydantic-ai/commit/d3…	x_refsource_MISC
https://access.redhat.com/security/cve/CVE-2026-25580	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2437781	issue-trackingx_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/v…	x_sadp-csaf-vex

Impacted products

2 products

Vendor	Product	Version
pydantic	pydantic-ai	Affected: >= 0.0.26, < 1.56.0
Red Hat	Red Hat Enterprise Linux AI (RHEL AI) 3	cpe:/a:redhat:enterprise_linux_ai:3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25580",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-09T15:21:59.190923Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-09T15:27:37.772Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux_ai:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-02-06T21:01:38.035Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in Pydantic AI. This Server-Side Request Forgery (SSRF) vulnerability allows a remote attacker to include malicious URLs within untrusted message history. When processed by the application, these URLs can force the server to make unauthorized HTTP requests to internal network resources. This could lead to the disclosure of sensitive internal information or access to cloud credentials."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 8.6,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-918",
                "description": "Server-Side Request Forgery (SSRF)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:06:33.493Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-25580"
          },
          {
            "name": "RHBZ#2437781",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437781"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25580.json"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-02-09T11:05:31.886Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-02-06T21:01:38.035Z",
            "value": "Made public."
          }
        ],
        "title": "Pydantic AI: Pydantic AI: Information disclosure via Server-Side Request Forgery (SSRF) through malicious URLs in message history.",
        "workarounds": [
          {
            "lang": "en",
            "value": "To mitigate, configure applications using Pydantic AI to avoid accepting message history from untrusted external sources. Implement robust input validation and sanitization for all URLs processed by the application. Additionally, restrict network access for the Pydantic AI application to only essential internal and external resources, thereby limiting the potential impact of SSRF attacks."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pydantic-ai",
          "vendor": "pydantic",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.0.26, \u003c 1.56.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI\u0027s URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T21:01:38.035Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3"
        },
        {
          "name": "https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301"
        }
      ],
      "source": {
        "advisory": "GHSA-2jrp-274c-jhv3",
        "discovery": "UNKNOWN"
      },
      "title": "Pydantic AI Affected by Server-Side Request Forgery (SSRF) in URL Download Handling"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25580",
    "datePublished": "2026-02-06T21:01:38.035Z",
    "dateReserved": "2026-02-03T01:02:46.715Z",
    "dateUpdated": "2026-06-30T12:06:33.493Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-25580",
      "date": "2026-06-30",
      "epss": "0.00579",
      "percentile": "0.43284"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25580\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-06T21:16:17.167\",\"lastModified\":\"2026-06-30T03:17:42.753\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI\u0027s URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0.\"},{\"lang\":\"es\",\"value\":\"Pydantic AI es un framework de agente Python para construir aplicaciones y flujos de trabajo con IA Generativa. Desde la 0.0.26 hasta antes de la 1.56.0, existe una vulnerabilidad de Server-Side Request Forgery (SSRF) en la funcionalidad de descarga de URL de Pydantic AI. Cuando las aplicaciones aceptan el historial de mensajes de fuentes no confiables, los atacantes pueden incluir URL maliciosas que hacen que el servidor realice solicitudes HTTP a recursos de red internos, accediendo potencialmente a servicios internos o credenciales en la nube. Esta vulnerabilidad solo afecta a aplicaciones que aceptan el historial de mensajes de usuarios externos. Esta vulnerabilidad est\u00e1 corregida en la 1.56.0.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"pydantic\",\"product\":\"pydantic-ai\",\"versions\":[{\"version\":\"\u003e= 0.0.26, \u003c 1.56.0\",\"status\":\"affected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AI (RHEL AI) 3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux_ai:3\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.0},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.0}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-02-09T15:21:59.190923Z\",\"id\":\"CVE-2026-25580\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pydantic:pydantic_ai:*:*:*:*:*:python:*:*\",\"versionStartIncluding\":\"0.0.26\",\"versionEndExcluding\":\"1.56.0\",\"matchCriteriaId\":\"AED125A7-1F54-4ACF-A702-6D4C09ABDE13\"}]}]}],\"references\":[{\"url\":\"https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-25580\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2437781\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25580.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"Pydantic AI: Pydantic AI: Information disclosure via Server-Side Request Forgery (SSRF) through malicious URLs in message history.\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:enterprise_linux_ai:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux AI (RHEL AI) 3\", \"defaultStatus\": \"affected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-02-09T11:05:31.886Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-02-06T21:01:38.035Z\", \"value\": \"Made public.\"}], \"x_adpType\": \"supplier\", \"datePublic\": \"2026-02-06T21:01:38.035Z\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2026-25580\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2437781\", \"name\": \"RHBZ#2437781\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25580.json\", \"tags\": [\"x_sadp-csaf-vex\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"To mitigate, configure applications using Pydantic AI to avoid accepting message history from untrusted external sources. Implement robust input validation and sanitization for all URLs processed by the application. Additionally, restrict network access for the Pydantic AI application to only essential internal and external resources, thereby limiting the potential impact of SSRF attacks.\"}], \"x_generator\": {\"engine\": \"sadp-cli 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in Pydantic AI. This Server-Side Request Forgery (SSRF) vulnerability allows a remote attacker to include malicious URLs within untrusted message history. When processed by the application, these URLs can force the server to make unauthorized HTTP requests to internal network resources. This could lead to the disclosure of sensitive internal information or access to cloud credentials.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\", \"shortName\": \"redhat-SADP\", \"dateUpdated\": \"2026-06-30T02:42:27.039Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25580\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-09T15:21:59.190923Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-09T15:22:00.087Z\"}}], \"cna\": {\"title\": \"Pydantic AI Affected by Server-Side Request Forgery (SSRF) in URL Download Handling\", \"source\": {\"advisory\": \"GHSA-2jrp-274c-jhv3\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"pydantic\", \"product\": \"pydantic-ai\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.0.26, \u003c 1.56.0\"}]}], \"references\": [{\"url\": \"https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3\", \"name\": \"https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301\", \"name\": \"https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI\u0027s URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-06T21:01:38.035Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-25580\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-30T02:42:27.039Z\", \"dateReserved\": \"2026-02-03T01:02:46.715Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-06T21:01:38.035Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-25580

Vulnerability from fkie_nvd - Published: 2026-02-06 21:16 - Updated: 2026-06-30 03:17

Severity

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301	Patch
security-advisories@github.com	https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3	Exploit, Mitigation, Vendor Advisory
0b0ca135-0b70-47e7-9f44-1890c2a1c46c	https://access.redhat.com/security/cve/CVE-2026-25580
0b0ca135-0b70-47e7-9f44-1890c2a1c46c	https://bugzilla.redhat.com/show_bug.cgi?id=2437781
0b0ca135-0b70-47e7-9f44-1890c2a1c46c	https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25580.json

Impacted products

	Vendor	Product	Version
	pydantic	pydantic_ai	*

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "pydantic-ai",
          "vendor": "pydantic",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.0.26, \u003c 1.56.0"
            }
          ]
        }
      ],
      "source": "security-advisories@github.com"
    },
    {
      "affectedData": [
        {
          "cpes": [
            "cpe:/a:redhat:enterprise_linux_ai:3"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
          "vendor": "Red Hat"
        }
      ],
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pydantic:pydantic_ai:*:*:*:*:*:python:*:*",
              "matchCriteriaId": "AED125A7-1F54-4ACF-A702-6D4C09ABDE13",
              "versionEndExcluding": "1.56.0",
              "versionStartIncluding": "0.0.26",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI\u0027s URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0."
    },
    {
      "lang": "es",
      "value": "Pydantic AI es un framework de agente Python para construir aplicaciones y flujos de trabajo con IA Generativa. Desde la 0.0.26 hasta antes de la 1.56.0, existe una vulnerabilidad de Server-Side Request Forgery (SSRF) en la funcionalidad de descarga de URL de Pydantic AI. Cuando las aplicaciones aceptan el historial de mensajes de fuentes no confiables, los atacantes pueden incluir URL maliciosas que hacen que el servidor realice solicitudes HTTP a recursos de red internos, accediendo potencialmente a servicios internos o credenciales en la nube. Esta vulnerabilidad solo afecta a aplicaciones que aceptan el historial de mensajes de usuarios externos. Esta vulnerabilidad est\u00e1 corregida en la 1.56.0."
    }
  ],
  "id": "CVE-2026-25580",
  "lastModified": "2026-06-30T03:17:42.753",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.0,
        "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-25580",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "yes"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-02-09T15:21:59.190923Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-02-06T21:16:17.167",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3"
    },
    {
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "url": "https://access.redhat.com/security/cve/CVE-2026-25580"
    },
    {
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437781"
    },
    {
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25580.json"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "type": "Secondary"
    }
  ]
}

GHSA-2JRP-274C-JHV3

Vulnerability from github – Published: 2026-02-06 18:32 – Updated: 2026-02-06 21:42

Summary

Pydantic AI has Server-Side Request Forgery (SSRF) in URL Download Handling

Details

Summary

A Server-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials.

This vulnerability only affects applications that accept message history from external users, such as those using: - Agent.to_web or clai web to serve a chat interface - VercelAIAdapter for Vercel AI SDK integration - AGUIAdapter or Agent.to_ag_ui for AG-UI protocol integration - Custom APIs that accept message history from user input

Applications that only use hardcoded or developer-controlled URLs are not affected.

Description

The download_item() helper function downloads content from URLs without validating that the target is a public internet address. When user-supplied message history contains URLs, attackers can:

Access internal services: Request http://127.0.0.1, localhost, or private IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
Steal cloud credentials: Access cloud metadata endpoints (AWS IMDSv1 at 169.254.169.254, GCP, Azure, Alibaba Cloud)
Scan internal networks: Enumerate internal hosts and ports

Who Is Affected

You are affected if your application:

Uses Agent.to_web or clai web - The web interface accepts file attachments via the Vercel AI Data Stream Protocol, where users can provide arbitrary URLs through chat messages.
Uses VercelAIAdapter - Chat interfaces built with Vercel AI SDK allow users to submit messages containing URLs that are processed server-side.
Uses AGUIAdapter or Agent.to_ag_ui - The AG-UI protocol allows users to provide file references with URLs as part of agent interactions.
Exposes a custom API accepting message history - Any endpoint that accepts message history or ImageUrl, AudioUrl, VideoUrl, DocumentUrl objects from user input.

Attack Scenario

Via chat interface, an attacker submits a message with a file attachment pointing to an internal resource:

{
  "role": "user",
  "parts": [
    {"type": "file", "mediaType": "image/png", "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}
  ]
}

Affected Model Integrations

Multiple model integrations download URL content in certain conditions:

Provider	Downloaded Types
`OpenAIChatModel`	`AudioUrl`, `DocumentUrl`
`AnthropicModel`	`DocumentUrl` (`text/plain`)
`GoogleModel` (GLA)	All URL types (except YouTube and Files API URLs)
`XaiModel`	`DocumentUrl`
`BedrockConverseModel`	`ImageUrl`, `DocumentUrl`, `VideoUrl` (non-S3 URLs)
`OpenRouterModel`	`AudioUrl`

Remediation

Upgrade to Patched Version

Upgrade to the patched version or later. The fix adds comprehensive SSRF protection:

Blocks private/internal IP addresses by default
Always blocks cloud metadata endpoints (even with allow-local)
Only allows http:// and https:// protocols
Resolves hostnames before requests to prevent DNS rebinding
Validates each redirect target

New `force_download='allow-local'` Option

If an application legitimately needs to access local/private network resources (e.g., in a fully trusted internal environment), it can explicitly opt in:

from pydantic_ai import ImageUrl

# Default behavior: private IPs are blocked
ImageUrl(url="http://internal-service/image.png")  # Raises ValueError

# Opt-in to allow local access (use with caution)
ImageUrl(url="http://internal-service/image.png", force_download='allow-local')

Important: Cloud metadata endpoints (169.254.169.254, fd00:ec2::254, 100.100.100.200) are always blocked, even with allow-local.

Workaround for Older Versions

If a project cannot upgrade immediately, use a history processor to filter out URLs targeting local/private addresses:

import ipaddress
import socket
from urllib.parse import urlparse

from pydantic_ai import Agent, ModelMessage, ModelRequest
from pydantic_ai.messages import AudioUrl, DocumentUrl, ImageUrl, VideoUrl

def is_private_url(url: str) -> bool:
    """Check if a URL targets a private/internal IP address."""
    try:
        parsed = urlparse(url)
        hostname = parsed.hostname
        if not hostname:
            return True  # Invalid URL, block it

        # Resolve hostname to IP
        ip_str = socket.gethostbyname(hostname)
        ip = ipaddress.ip_address(ip_str)

        # Block private, loopback, and link-local addresses
        return ip.is_private or ip.is_loopback or ip.is_link_local
    except (socket.gaierror, ValueError):
        return True  # DNS resolution failed, block it

def filter_private_urls(messages: list[ModelMessage]) -> list[ModelMessage]:
    """Remove URL parts that target private/internal addresses."""
    url_types = (ImageUrl, AudioUrl, VideoUrl, DocumentUrl)
    filtered = []
    for msg in messages:
        if isinstance(msg, ModelRequest):
            safe_parts = [
                part for part in msg.parts
                if not (isinstance(part, url_types) and is_private_url(part.url))
            ]
            if safe_parts:
                filtered.append(ModelRequest(parts=safe_parts))
        else:
            filtered.append(msg)
    return filtered

# Apply the filter to your agent
agent = Agent('openai:gpt-5', history_processors=[filter_private_urls])

Technical Details of the Fix

The fix introduces a new _ssrf.py module with comprehensive protection:

Protocol validation: Only http:// and https:// allowed
DNS resolution before request: Prevents DNS rebinding attacks
Private IP blocking (by default):
127.0.0.0/8, ::1/128 (loopback)
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 (private)
169.254.0.0/16, fe80::/10 (link-local)
100.64.0.0/10 (CGNAT)
fc00::/7 (unique local)
2002::/16 (6to4, can embed private IPv4)
Cloud metadata always blocked: 169.254.169.254, fd00:ec2::254, 100.100.100.200
Safe redirect handling: Each redirect validated before following (max 10)

Severity

8.6 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pydantic-ai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.26"
            },
            {
              "fixed": "1.56.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pydantic-ai-slim"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.26"
            },
            {
              "fixed": "1.56.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25580"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-06T18:32:39Z",
    "nvd_published_at": "2026-02-06T21:16:17Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA Server-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI\u0027s URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials.\n\n**This vulnerability only affects applications that accept message history from external users**, such as those using:\n- **`Agent.to_web`** or **`clai web`** to serve a chat interface\n- **`VercelAIAdapter`** for Vercel AI SDK integration\n- **`AGUIAdapter`** or **`Agent.to_ag_ui`** for AG-UI protocol integration\n- Custom APIs that accept message history from user input\n\nApplications that only use hardcoded or developer-controlled URLs are not affected.\n\n### Description\n\nThe `download_item()` helper function downloads content from URLs without validating that the target is a public internet address. When user-supplied message history contains URLs, attackers can:\n\n1. **Access internal services**: Request `http://127.0.0.1`, `localhost`, or private IP ranges (`10.x.x.x`, `172.16.x.x`, `192.168.x.x`)\n2. **Steal cloud credentials**: Access cloud metadata endpoints (AWS IMDSv1 at `169.254.169.254`, GCP, Azure, Alibaba Cloud)\n3. **Scan internal networks**: Enumerate internal hosts and ports\n\n### Who Is Affected\n\nYou are affected if your application:\n\n1. **Uses `Agent.to_web` or `clai web`** - The web interface accepts file attachments via the Vercel AI Data Stream Protocol, where users can provide arbitrary URLs through chat messages.\n\n2. **Uses `VercelAIAdapter`** - Chat interfaces built with Vercel AI SDK allow users to submit messages containing URLs that are processed server-side.\n\n3. **Uses `AGUIAdapter` or `Agent.to_ag_ui`** - The AG-UI protocol allows users to provide file references with URLs as part of agent interactions.\n\n4. **Exposes a custom API accepting message history** - Any endpoint that accepts message history or `ImageUrl`, `AudioUrl`, `VideoUrl`, `DocumentUrl` objects from user input.\n\n### Attack Scenario\n\nVia chat interface, an attacker submits a message with a file attachment pointing to an internal resource:\n```json\n{\n  \"role\": \"user\",\n  \"parts\": [\n    {\"type\": \"file\", \"mediaType\": \"image/png\", \"url\": \"http://169.254.169.254/latest/meta-data/iam/security-credentials/\"}\n  ]\n}\n```\n\n### Affected Model Integrations\n\nMultiple model integrations download URL content in certain conditions:\n\n| Provider | Downloaded Types |\n|----------|------------------|\n| `OpenAIChatModel` | `AudioUrl`, `DocumentUrl` |\n| `AnthropicModel` | `DocumentUrl` (`text/plain`) |\n| `GoogleModel` (GLA) | All URL types (except YouTube and Files API URLs) |\n| `XaiModel` | `DocumentUrl` |\n| `BedrockConverseModel` | `ImageUrl`, `DocumentUrl`, `VideoUrl` (non-S3 URLs) |\n| `OpenRouterModel` | `AudioUrl` |\n\n## Remediation\n\n### Upgrade to Patched Version\n\n**Upgrade** to the patched version or later. The fix adds comprehensive SSRF protection:\n\n- Blocks private/internal IP addresses by default\n- Always blocks cloud metadata endpoints (even with `allow-local`)\n- Only allows `http://` and `https://` protocols\n- Resolves hostnames before requests to prevent DNS rebinding\n- Validates each redirect target\n\n### New `force_download=\u0027allow-local\u0027` Option\n\nIf an application legitimately needs to access local/private network resources (e.g., in a fully trusted internal environment), it can explicitly opt in:\n\n```python\nfrom pydantic_ai import ImageUrl\n\n# Default behavior: private IPs are blocked\nImageUrl(url=\"http://internal-service/image.png\")  # Raises ValueError\n\n# Opt-in to allow local access (use with caution)\nImageUrl(url=\"http://internal-service/image.png\", force_download=\u0027allow-local\u0027)\n```\n\n**Important**: Cloud metadata endpoints (`169.254.169.254`, `fd00:ec2::254`, `100.100.100.200`) are **always blocked**, even with `allow-local`.\n\n### Workaround for Older Versions\n\nIf a project cannot upgrade immediately, use a [history processor](https://ai.pydantic.dev/message-history/#processing-message-history) to filter out URLs targeting local/private addresses:\n\n```python\nimport ipaddress\nimport socket\nfrom urllib.parse import urlparse\n\nfrom pydantic_ai import Agent, ModelMessage, ModelRequest\nfrom pydantic_ai.messages import AudioUrl, DocumentUrl, ImageUrl, VideoUrl\n\ndef is_private_url(url: str) -\u003e bool:\n    \"\"\"Check if a URL targets a private/internal IP address.\"\"\"\n    try:\n        parsed = urlparse(url)\n        hostname = parsed.hostname\n        if not hostname:\n            return True  # Invalid URL, block it\n\n        # Resolve hostname to IP\n        ip_str = socket.gethostbyname(hostname)\n        ip = ipaddress.ip_address(ip_str)\n\n        # Block private, loopback, and link-local addresses\n        return ip.is_private or ip.is_loopback or ip.is_link_local\n    except (socket.gaierror, ValueError):\n        return True  # DNS resolution failed, block it\n\ndef filter_private_urls(messages: list[ModelMessage]) -\u003e list[ModelMessage]:\n    \"\"\"Remove URL parts that target private/internal addresses.\"\"\"\n    url_types = (ImageUrl, AudioUrl, VideoUrl, DocumentUrl)\n    filtered = []\n    for msg in messages:\n        if isinstance(msg, ModelRequest):\n            safe_parts = [\n                part for part in msg.parts\n                if not (isinstance(part, url_types) and is_private_url(part.url))\n            ]\n            if safe_parts:\n                filtered.append(ModelRequest(parts=safe_parts))\n        else:\n            filtered.append(msg)\n    return filtered\n\n# Apply the filter to your agent\nagent = Agent(\u0027openai:gpt-5\u0027, history_processors=[filter_private_urls])\n```\n\n## Technical Details of the Fix\n\nThe fix introduces a new `_ssrf.py` module with comprehensive protection:\n\n1. **Protocol validation**: Only `http://` and `https://` allowed\n2. **DNS resolution before request**: Prevents DNS rebinding attacks\n3. **Private IP blocking** (by default):\n   - `127.0.0.0/8`, `::1/128` (loopback)\n   - `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16` (private)\n   - `169.254.0.0/16`, `fe80::/10` (link-local)\n   - `100.64.0.0/10` (CGNAT)\n   - `fc00::/7` (unique local)\n   - `2002::/16` (6to4, can embed private IPv4)\n4. **Cloud metadata always blocked**: `169.254.169.254`, `fd00:ec2::254`, `100.100.100.200`\n5. **Safe redirect handling**: Each redirect validated before following (max 10)",
  "id": "GHSA-2jrp-274c-jhv3",
  "modified": "2026-02-06T21:42:27Z",
  "published": "2026-02-06T18:32:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25580"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pydantic/pydantic-ai"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pydantic AI has Server-Side Request Forgery (SSRF) in URL Download Handling"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-25580 (GCVE-0-2026-25580)

FKIE_CVE-2026-25580

GHSA-2JRP-274C-JHV3

Summary

Description

Who Is Affected

Attack Scenario

Affected Model Integrations

Remediation

Upgrade to Patched Version

New force_download='allow-local' Option

Workaround for Older Versions

Technical Details of the Fix

Tags

Sightings

Nomenclature

New `force_download='allow-local'` Option