CVE-2025-48985
Description
A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass filetype whitelists when uploading files. All users are encouraged to upgrade.
More details: https://vercel.com/changelog/cve-2025-48985-input-validation-bypass-on-ai-sdk
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A vulnerability in Vercel's AI SDK allowed bypassing filetype whitelists during file upload, patched in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta.
Vulnerability
Overview
CVE-2025-48985 is an input validation bypass vulnerability in Vercel's AI SDK, a TypeScript toolkit for building AI-powered applications. The flaw resides in the file upload functionality, where the SDK's filetype whitelist could be circumvented, allowing users to upload files with disallowed extensions or MIME types [1]. The root cause involves improper validation of file types during the upload process, specifically when handling intermediate file downloads [4].
Exploitation
An attacker could exploit this vulnerability by crafting a file upload request that bypasses the whitelist checks. The attack requires no special privileges beyond the ability to upload files to an application using the vulnerable SDK. By manipulating the file type metadata or leveraging the SDK's download logic for unsupported file types, an attacker could upload arbitrary files that should have been rejected [3][4].
Impact
Successful exploitation could lead to arbitrary file upload, potentially enabling further attacks such as server-side code execution, data exfiltration, or cross-site scripting if uploaded files are served to other users. The severity depends on the application's handling of uploaded files, but the bypass undermines a core security control.
Mitigation
Vercel has released patched versions: 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. All users are strongly encouraged to upgrade immediately [1]. No workarounds have been provided, and the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ainpm | < 5.0.52 | 5.0.52 |
ainpm | >= 5.1.0-beta.0, < 5.1.0-beta.9 | 5.1.0-beta.9 |
Affected products
2- Vercel/AI SDKv5Range: 5.0.51
Patches
1930399bb9839Backport: fix(ai): download files when intermediate file cannot be downloaded (#8883)
3 files changed · +108 −11
.changeset/tall-terms-smash.md+5 −0 added@@ -0,0 +1,5 @@ +--- +'ai': patch +--- + +fix(ai): download files when intermediate file cannot be downloaded
packages/ai/src/prompt/convert-to-language-model-prompt.test.ts+95 −0 modified@@ -673,6 +673,101 @@ describe('convertToLanguageModelPrompt', () => { ]); }); }); + + it('should download files when intermediate file cannot be downloaded', async () => { + const imageUrlA = `http://example.com/my-image-A.png`; // supported + const fileUrl = `http://127.0.0.1:3000/file`; // unsupported + const imageUrlB = `http://example.com/my-image-B.png`; // supported + + const mockDownload = vi.fn().mockResolvedValue([ + { + url: new URL(imageUrlA), + data: new Uint8Array([137, 80, 78, 71, 13, 10, 26, 10, 0]), // empty png and 0 + mediaType: 'image/png', + }, + null, + { + url: new URL(imageUrlB), + data: new Uint8Array([137, 80, 78, 71, 13, 10, 26, 10, 1]), // empty png and 1 + mediaType: 'image/png', + }, + ]); + + const result = await convertToLanguageModelPrompt({ + prompt: { + messages: [ + { + role: 'user', + content: [ + { type: 'image', image: imageUrlA, mediaType: 'image/png' }, + { + type: 'file', + data: new URL(fileUrl), + mediaType: 'application/octet-stream', + }, + { type: 'image', image: imageUrlB, mediaType: 'image/png' }, + ], + }, + ], + }, + supportedUrls: { + '*': [/^https:\/\/.*$/], + }, + download: mockDownload, + }); + + expect(result).toMatchInlineSnapshot(` + [ + { + "content": [ + { + "data": Uint8Array [ + 137, + 80, + 78, + 71, + 13, + 10, + 26, + 10, + 0, + ], + "filename": undefined, + "mediaType": "image/png", + "providerOptions": undefined, + "type": "file", + }, + { + "data": "http://127.0.0.1:3000/file", + "filename": undefined, + "mediaType": "application/octet-stream", + "providerOptions": undefined, + "type": "file", + }, + { + "data": Uint8Array [ + 137, + 80, + 78, + 71, + 13, + 10, + 26, + 10, + 1, + ], + "filename": undefined, + "mediaType": "image/png", + "providerOptions": undefined, + "type": "file", + }, + ], + "providerOptions": undefined, + "role": "user", + }, + ] + `); + }); }); describe('custom download function', () => {
packages/ai/src/prompt/convert-to-language-model-prompt.ts+8 −11 modified@@ -245,18 +245,15 @@ async function downloadAssets( return Object.fromEntries( downloadedFiles - .filter( - ( - downloadedFile, - ): downloadedFile is { - mediaType: string | undefined; - data: Uint8Array; - } => downloadedFile?.data != null, + .map((file, index) => + file == null + ? null + : [ + plannedDownloads[index].url.toString(), + { data: file.data, mediaType: file.mediaType }, + ], ) - .map(({ data, mediaType }, index) => [ - plannedDownloads[index].url.toString(), - { data, mediaType }, - ]), + .filter(file => file != null), ); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.