CVE-2026-8768
Description
A vulnerability was found in vercel ai up to 3.0.97. The affected element is the function validateDownloadUrl of the file packages/provider-utils/src/download-blob.ts of the component provider-utils. The manipulation results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Blind SSRF via HTTP redirect bypass in @ai-sdk/provider-utils validateDownloadUrl, allowing internal network requests before validation.
Vulnerability
A server-side request forgery (SSRF) vulnerability exists in the @ai-sdk/provider-utils package up to version 3.0.97. The validateDownloadUrl function in packages/provider-utils/src/download-blob.ts validates user-supplied URLs against private IPs before passing them to fetch(). However, fetch by default follows HTTP redirects, and the validation only checks the initial URL, not the final destination. An attacker can supply a public URL that redirects (302) to an internal address (e.g., 127.0.0.1, 10.x.x.x, 192.168.x.x). The fetch call transparently follows the redirect and issues a GET request to the internal target before the post-redirect validation (if (response.redirected) validateDownloadUrl(response.url)) runs, which then throws an error but only after the request has been executed [1][2].
Exploitation
An unauthenticated attacker can craft a URL pointing to a public server under their control (or an open redirect service like httpbin.org) that responds with an HTTP 302 redirect to an internal IP endpoint (e.g., http://127.0.0.1:8080/admin/delete). The validateDownloadUrl check on the initial URL passes because it is not private. The fetch call follows the redirect automatically, reaching the internal service. The post-flight validation catches the redirect and throws an error, but the internal request has already been executed [1][2]. This exploits a time-of-check to time-of-use (TOCTOU) gap during redirection.
Impact
An attacker can trigger blind SSRF, causing unintended HTTP GET requests to internal network services. Because the response body is blocked from the attacker (the error prevents reading it), the attack is blind; however, any state-modifying endpoints that respond to GET requests (e.g., administrative actions, cache invalidations, health checks that trigger side effects) can be triggered on the internal network. The attacker achieves a high-impact internal reconnaissance or exploitation of internal services that do not require authentication or authorization [1][2].
Mitigation
The vendor (Vercel AI) was contacted prior to disclosure but did not respond. As of the CVE publication date (2026-05-17), no official patch has been released. Users should upgrade to a version beyond 3.0.97 once available. In the meantime, a workaround is to avoid using downloadBlob or download functions from @ai-sdk/provider-utils with untrusted URLs, or to implement a proxy that disallows redirects to private IPs. The vulnerability is likely to be listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog given the public exploit [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- gist.github.com/YLChen-007/cf7e47e4dda392f474ca77a66d1d847fnvdExploitThird Party Advisory
- vuldb.com/submit/811404nvdThird Party AdvisoryVDB Entry
- vuldb.com/submit/811405nvdThird Party AdvisoryVDB Entry
- vuldb.com/vuln/364393nvdThird Party AdvisoryVDB Entry
- gist.github.com/YLChen-007/07d149bd68adbee58165b4207a2abc71nvdNot Applicable
- vuldb.com/vuln/364393/ctinvdPermissions RequiredVDB Entry
News mentions
0No linked articles in our index yet.