CVE-2026-25580
SSRF Vulnerability in Pydantic AI URL Download Function
Publication date: 2026-02-06
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pydantic | pydantic_ai | From 0.0.26 (inc) to 1.56.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25580 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in the Pydantic AI Python framework, specifically in its URL download functionality. This vulnerability exists in versions from 0.0.26 up to but not including 1.56.0.'}, {'type': 'paragraph', 'content': "The issue arises because the framework's `download_item()` function downloads content from user-supplied URLs without properly validating whether these URLs point to public internet addresses or internal/private network resources."}, {'type': 'paragraph', 'content': 'If an application using Pydantic AI accepts message history or file attachments containing URLs from untrusted external sources, an attacker can craft malicious URLs that cause the server to make HTTP requests to internal network resources such as private IP ranges (e.g., 127.0.0.1, 10.x.x.x, 192.168.x.x) or cloud metadata endpoints (e.g., AWS IMDSv1 at 169.254.169.254).'}, {'type': 'paragraph', 'content': 'This can lead to unauthorized access to internal services, theft of cloud credentials, and internal network scanning.'}, {'type': 'paragraph', 'content': 'The vulnerability affects applications that accept message history or media URLs from external users and use certain Pydantic AI interfaces or adapters.'}, {'type': 'paragraph', 'content': 'The vulnerability is fixed in version 1.56.0, which introduces comprehensive SSRF protections including blocking private IPs and cloud metadata endpoints, protocol validation, DNS resolution before requests, and safe redirect handling.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have serious impacts if you use Pydantic AI in applications that accept URLs from untrusted external sources.
An attacker can exploit this SSRF flaw to make your server perform unauthorized HTTP requests to internal network resources, which are normally inaccessible from outside.
- Access internal services that should be protected from external access.
- Steal sensitive cloud credentials by accessing cloud metadata endpoints (e.g., AWS, GCP, Azure).
- Perform internal network scanning to discover other vulnerable systems or services.
Because the attack requires no privileges or user interaction, it can be triggered remotely by submitting crafted URLs in message histories or file attachments.
Overall, this can lead to significant confidentiality breaches and compromise of your internal infrastructure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unexpected HTTP requests originating from your server to internal network addresses or cloud metadata endpoints. Since the vulnerability involves the server making HTTP requests to private IP ranges or cloud metadata IPs based on user-supplied URLs, detection involves identifying such outbound requests.'}, {'type': 'list_item', 'content': 'Check server logs or network traffic for HTTP requests to private IP ranges such as 127.0.0.1, 10.x.x.x, 172.16.x.x, 192.168.x.x, or cloud metadata IPs like 169.254.169.254.'}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., tcpdump, Wireshark) to capture outbound HTTP traffic and filter for requests to internal IP ranges.'}, {'type': 'list_item', 'content': "Example tcpdump command to detect suspicious outbound HTTP requests to private IPs: tcpdump -i <interface> 'dst net 10.0.0.0/8 or dst net 172.16.0.0/12 or dst net 192.168.0.0/16 or dst host 169.254.169.254'"}, {'type': 'list_item', 'content': 'Inspect application logs for usage of the `download_item()` function or URL downloads from untrusted sources that include internal or cloud metadata URLs.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary immediate mitigation is to upgrade the Pydantic AI package to version 1.56.0 or later, which includes comprehensive SSRF protections.'}, {'type': 'list_item', 'content': 'Upgrade to Pydantic AI version 1.56.0 or newer to benefit from built-in SSRF protections such as blocking private/internal IP addresses and cloud metadata endpoints.'}, {'type': 'list_item', 'content': 'If upgrading is not immediately possible, implement a custom filter on URLs accepted from untrusted sources that:'}, {'type': 'list_item', 'content': '- Parses URLs and resolves hostnames to IP addresses.'}, {'type': 'list_item', 'content': '- Blocks URLs resolving to private, loopback, link-local IPs, or cloud metadata IPs.'}, {'type': 'list_item', 'content': '- Removes such URLs from message histories before processing.'}, {'type': 'list_item', 'content': "Restrict the protocols allowed for URL downloads to only 'http://' and 'https://'."}, {'type': 'list_item', 'content': 'Monitor and audit usage of interfaces that accept message histories or file attachments from external users, such as Agent.to_web, clai web, VercelAIAdapter, AGUIAdapter, and custom APIs.'}] [1]