CVE-2026-8769
Description
A vulnerability was determined in vercel ai up to 3.0.97. The impacted element is the function createJsonResponseHandler/createJsonErrorResponseHandler of the file packages/provider-utils/src/response-handler.ts of the component provider-utils. This manipulation causes resource consumption. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing response size limit in @ai-sdk/provider-utils up to 3.0.97 allows remote memory exhaustion DoS via unbounded HTTP response streaming.
Vulnerability
The vulnerability resides in the createJsonResponseHandler and createJsonErrorResponseHandler functions within packages/provider-utils/src/response-handler.ts of the @ai-sdk/provider-utils package (affecting versions up to and including 3.0.97). These handlers process non-streaming JSON responses from backend AI providers and MCP servers by calling await response.text() without imposing any size limit on the incoming payload. This allows a malicious provider or a compromised MCP server endpoint to stream an infinite chunked HTTP response, causing the entire response body to be buffered into a native V8 string in memory [1].
Exploitation
An attacker needs network control over a backend provider or MCP server endpoint that the AI SDK connects to — for example, by configuring a malicious baseURL in environments that allow users to bring their own API gateway or MCP server. The attacker issues an HTTP 200 OK response with no Content-Length header and sends an endless stream of data (e.g., whitespace). The SDK unconditionally accumulates this chunked data in memory, leading to rapid heap exhaustion [1]. No authentication or user interaction beyond this configuration is required for a remote attacker to initiate the exploit.
Impact
Successful exploitation triggers an out-of-memory (OOM) fatal error in the Node.js process, causing a denial of service (DoS). In multi-tenant applications or pipelines that permit users to set custom endpoint baseURLs, a single malicious request can crash the entire backend service, disrupting all active sessions [1]. The CIA outcome is a total loss of availability, with no data confidentiality or integrity impact.
Mitigation
As of the publication date (2026-05-17), the vendor has not responded to the disclosure and no fix is available. The patched version for downloadBlob() (which uses readResponseWithSizeLimit()) indicates that a similar bounded approach should be applied to createJsonResponseHandler and createJsonErrorResponseHandler. Users should limit network access to trusted providers, restrict the ability to set custom baseURL configurations, and monitor memory usage. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- gist.github.com/YLChen-007/fb1096bc8428bed9a428f764d9d103bbnvdExploitThird Party Advisory
- vuldb.com/submit/811406nvdThird Party AdvisoryVDB Entry
- vuldb.com/vuln/364394nvdThird Party AdvisoryVDB Entry
- vuldb.com/vuln/364394/ctinvdPermissions RequiredVDB Entry
News mentions
0No linked articles in our index yet.