CVE-2026-25580 – Server-Side Request Forgery (SSRF) in Pydantic AI
| Field | Details |
|---|---|
| CVE Name | Pydantic AI URL Download SSRF |
| CVE ID | CVE-2026-25580 |
| Affected Product | Pydantic AI (pydantic-ai, pydantic-ai-slim) |
| Vulnerability Type | Server-Side Request Forgery (SSRF) |
| CWE | CWE-918 |
| CVSS Version | CVSS v3.1 |
| CVSS Score | 8.6 |
| Severity | High |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | Medium |
| Availability Impact | Low |
| Exploitability | High in exposed deployments |
| Exploit Availability | No mass-weaponized exploit; PoC-style payloads are trivial and reproducible for educational and testing purposes |
| Affected Versions | >= 0.0.26 and < 1.56.0 |
| Patched Version | 1.56.0 and later |
| Official Patch / Upgrade | Link provided below |
Description
A server-side request forgery vulnerability exists in Pydantic AI due to improper validation of URLs processed during automatic content downloads. When structured message parts such as image, audio, document, or video URLs are present in message history, the backend may automatically retrieve the referenced resource.
In affected versions, URL destinations were not sufficiently restricted. As a result, URLs resolving to internal, private, loopback, or link-local addresses could be fetched by the application. This behavior allows an attacker to force the server to initiate outbound requests to network locations that should not be reachable from an external context.
The issue primarily affects applications that accept user-controlled message history or attachments and process them without additional validation.
Root Cause Analysis
The vulnerability was introduced by:
- Automatic download functionality triggered by message content
- Absence of strict allow-listing for URL destinations
- Missing checks against private, loopback, and link-local IP ranges
- No protection against access to cloud metadata endpoints
Because the request originated from the server itself, standard perimeter controls were bypassed.
Affected Components
- Message parsers handling
ImageUrl,AudioUrl,DocumentUrl, andVideoUrl - URL download handlers invoked during message processing
- Adapter layers integrating with chat or UI frameworks where users can submit message parts
Exploitation Details
Attack Preconditions
- The attacker must be able to submit or influence message history
- The application must automatically download URLs found in message parts
- The application must be running a vulnerable version
Exploitation Flow
- A crafted message containing a URL is submitted
- The backend processes the message and triggers a download
- The server performs an HTTP request to the supplied URL
- The response is returned or processed internally
Example Proof-of-Concept Payload (Educational)
{
"role": "user",
"parts": [
{
"type": "file",
"mediaType": "image/png",
"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
}
]
}
This payload forces the backend to request the cloud metadata service, potentially exposing temporary credentials.
Impact Assessment
Successful exploitation may result in:
- Access to internal HTTP services
- Disclosure of cloud instance metadata
- Exposure of temporary access credentials
- Internal network mapping and reconnaissance
- Potential lateral movement within the environment
The highest risk is observed in cloud deployments where metadata services are reachable from application hosts.
Detection and Monitoring
Relevant Log Sources
- Application and framework logs
- Web server access logs
- Outbound proxy or firewall logs
- Cloud audit and metadata access logs
Splunk Detection Query
index=application_logs
("ImageUrl" OR "AudioUrl" OR "DocumentUrl" OR "VideoUrl")
| search url="*169.254.169.254*" OR url="*127.*" OR url="*10.*" OR url="*172.16.*" OR url="*192.168.*"
| table _time, host, user, url, request_id
Elasticsearch / OpenSearch Query
{
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "ImageUrl OR AudioUrl OR DocumentUrl OR VideoUrl"
}
},
{
"query_string": {
"query": "169.254.169.254 OR 127. OR 10. OR 172.16. OR 192.168."
}
}
]
}
}
}
Network IDS Rule (Snort / Suricata)
alert http any any -> any any (
msg:"Possible SSRF attempt to internal or metadata address";
flow:to_server,established;
content:"169.254.169.254"; http_uri;
sid:260002;
rev:1;
)
Mitigation
Primary Remediation
- Upgrade to Pydantic AI version 1.56.0 or later
Official Patch / Upgrade Link
https://github.com/advisories/GHSA-2jrp-274c-jhv3
Additional Defensive Measures
- Implement strict URL allow-listing
- Disable automatic downloads for user-supplied URLs where feasible
- Block outbound access to link-local and private IP ranges
- Enforce least-privilege cloud instance roles
- Monitor outbound traffic for abnormal patterns
Temporary Workarounds
If upgrading is not immediately possible:
- Reject URLs resolving to private or link-local IPs
- Perform DNS resolution checks before downloads
- Apply egress filtering at the network layer
MITRE Mapping
- CWE-918 – Server-Side Request Forgery (SSRF)
Risk Summary
| Category | Risk Level |
|---|---|
| Confidentiality | High |
| Integrity | Medium |
| Availability | Low |
| Overall Risk | High |
Final Takeaway
CVE-2026-25580 represents a high-impact SSRF vulnerability that can be exploited with minimal effort in exposed deployments. Although no mass exploitation has been observed, the ease of crafting malicious payloads makes this issue critical. Prompt patching, strict egress controls, and continuous monitoring are essential to reduce risk.
