CVE-2026-25640
Path Traversal in Pydantic AI Web UI Enables XSS Attack
Publication date: 2026-02-06
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pydantic | pydantic_ai | From 1.34.0 (inc) to 1.51.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25640 is a stored cross-site scripting (XSS) vulnerability in the Pydantic AI web UI versions from 1.34.0 to before 1.51.0. It arises because the application constructs a CDN URL using a version query parameter from the request URL without proper validation. This allows an attacker to perform a path traversal attack by crafting a malicious URL that causes the server to fetch and serve attacker-controlled HTML or JavaScript from arbitrary locations on the same CDN.'}, {'type': 'paragraph', 'content': "When a victim clicks on or visits this malicious URL, the attacker's JavaScript executes in the victim's browser within the context of the application. This can lead to theft of sensitive client-side data such as chat history and session cookies."}, {'type': 'paragraph', 'content': 'The vulnerability specifically affects applications using Agent.to_web or clai web to serve the chat interface, which are typically run locally but can also be deployed remotely. The issue was fixed in version 1.51.0 by removing the user-controllable version parameter and hardcoding the CDN URL.'}] [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to execute arbitrary JavaScript code in your browser when you access a maliciously crafted URL related to the Pydantic AI web UI.
The attacker-controlled script can steal sensitive client-side data such as your chat history stored in localStorage and session cookies that are not protected with HttpOnly flags.
Because the attack requires user interaction (clicking a link or visiting an iframe), it can be triggered through social engineering or malicious links.
This can lead to confidentiality breaches of your chat data and potentially compromise your session, impacting your privacy and security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Pydantic AI installation is running a vulnerable version between 1.34.0 and before 1.51.0, and if the web UI is serving the chat interface via Agent.to_web or clai web commands.'}, {'type': 'paragraph', 'content': "To detect exploitation attempts on your network or system, monitor HTTP requests to the web UI for suspicious URLs containing path traversal sequences in the version query parameter. For example, look for requests where the version parameter includes '../' or similar patterns."}, {'type': 'paragraph', 'content': 'You can use network monitoring or web server logs to search for such patterns. Example commands to search logs might include:'}, {'type': 'list_item', 'content': 'grep -E "version=.*\\.\\./" /path/to/access.log'}, {'type': 'list_item', 'content': 'tcpdump -A -s 0 \'tcp port 80 or tcp port 443\' | grep -E "version=.*\\.\\./"'}, {'type': 'paragraph', 'content': 'Additionally, verify the installed package version with a command like:'}, {'type': 'list_item', 'content': 'pip show pydantic-ai'}, {'type': 'paragraph', 'content': 'If the version is within the vulnerable range, the system is susceptible unless patched.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade Pydantic AI to version 1.51.0 or later, where the vulnerability is fixed by removing the user-controllable version parameter and hardcoding the CDN URL.
If upgrading is not immediately possible, restrict access to the web UI to trusted users only, for example by limiting network exposure or using firewall rules to block external access.
Also, monitor and block suspicious requests containing path traversal sequences in the version query parameter to prevent exploitation.
Avoid clicking or embedding untrusted URLs that point to the vulnerable web UI to reduce risk of executing attacker-controlled JavaScript.