Pydantic AI affected by Stored XSS via Path Traversal in Web UI CDN URL
Description
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 1.34.0 to before 1.51.0, a path traversal vulnerability in the Pydantic AI web UI allows an attacker to serve arbitrary JavaScript in the context of the application by crafting a malicious URL. In affected versions, the CDN URL is constructed using a version query parameter from the request URL. This parameter is not validated, allowing path traversal sequences that cause the server to fetch and serve attacker-controlled HTML/JavaScript from an arbitrary source on the same CDN, instead of the legitimate chat UI package. If a victim clicks the link or visits it via an iframe, attacker-controlled code executes in their browser, enabling theft of chat history and other client-side data. This vulnerability only affects applications that use Agent.to_web to serve a chat interface and clai web to serve a chat interface from the CLI. These are typically run locally (on localhost), but may also be deployed on a remote server. This vulnerability is fixed in 1.51.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal vulnerability in Pydantic AI versions 1.34.0 to before 1.51.0 allows an attacker to serve arbitrary JavaScript in the chat UI via a crafted URL, enabling theft of chat history and client-side data.
Vulnerability
Overview
CVE-2026-25640 is a path traversal vulnerability in the Pydantic AI web UI, affecting versions 1.34.0 through just before 1.51.0. The root cause is that the web UI constructs a CDN URL using a version query parameter directly from the request URL without proper validation. An attacker can inject path traversal sequences (e.g., ../) into this parameter, causing the server to fetch and serve arbitrary HTML or JavaScript from a different location on the same CDN instead of the legitimate chat UI package [1][2][4].
Exploitation
To exploit this vulnerability, the attacker crafts a malicious URL targeting a victim's Pydantic AI web UI instance, which may be running locally (on localhost) or on a remote server. The attack is only possible if the application uses Agent.to_web to serve a chat interface or clai web directly from the CLI. The victim must then visit the attacker-supplied URL—either by clicking a link, following a redirect, or through an embedded iframe. The server processes the malformed version parameter, fetches attacker-controlled content from the CDN, and serves it to the victim's browser in the context of the legitimate Pydantic AI web application [2][4].
Impact
Once the attacker's JavaScript executes in the victim's browser, it gains full access to the web application's origin, including any chat history stored in localStorage (all user messages and AI responses) and any session cookies not set as HttpOnly. This client-side data theft can compromise sensitive conversations and potentially lead to session hijacking if authentication middleware is configured [2][4].
Mitigation
The vulnerability is fixed in version 1.51.0 of Pydantic AI [2][3]. Users should upgrade to this version or later immediately. There are no known workarounds; the fix removes the user-controllable version parameter from the CDN URL construction [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pydantic-aiPyPI | >= 1.34.0, < 1.51.0 | 1.51.0 |
pydantic-ai-slimPyPI | >= 1.34.0, < 1.51.0 | 1.51.0 |
Affected products
2- Range: >=1.34.0, <1.51.0
- pydantic/pydantic-aiv5Range: >= 1.34.0, < 1.51.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-wjp5-868j-wqv7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25640ghsaADVISORY
- github.com/pydantic/pydantic-ai/releases/tag/v1.51.0ghsax_refsource_MISCWEB
- github.com/pydantic/pydantic-ai/security/advisories/GHSA-wjp5-868j-wqv7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.