CVE-2025-48985
BaseFortify
Publication date: 2025-11-07
Last updated on: 2026-02-04
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vercel | ai | to 5.0.52 (inc) |
| vercel | ai | 5.1.0 |
| vercel | ai_sdk | 6.0.0-beta |
| vercel | ai_sdk | 5.0.52 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Vercel's AI SDK allowed users to bypass filetype whitelists when uploading files, meaning that the system could accept files that were not intended or allowed by the whitelist restrictions. This issue has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta.
How can this vulnerability impact me? :
The vulnerability could allow unauthorized file uploads by bypassing filetype restrictions, potentially leading to the upload of malicious or unintended files. This could impact the integrity of the system or application using the AI SDK, although the CVSS score indicates a low severity with limited impact on confidentiality, integrity, or availability.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Vercel's AI SDK to version 5.0.52, 5.1.0-beta.9, 6.0.0-beta, or later.