Pydantic AI Server-Side Request Forgery Vulnerability in URL Download Functionality

A server-side request forgery (SSRF) vulnerability has been identified in Pydantic AI, a Python agent framework for generative AI applications. This vulnerability affects versions 0.0.26 prior to 1.56.0. The issue arises in the URL download feature, where applications that accept message history from untrusted sources can be exploited. Attackers can include malicious URLs that prompt the server to make HTTP requests to internal network resources, potentially accessing sensitive services or cloud credentials. The vulnerability is particularly relevant for applications using 'Agent.to_web', 'VercelAIAdapter', 'AGUIAdapter', or custom APIs that process user-supplied URLs.

Impact

Exploitation of this vulnerability allows attackers to access internal network resources, cloud metadata endpoints, and potentially steal cloud credentials.

Reproduction

To reproduce this vulnerability, use a Pydantic AI application version between 0.0.26 and prior to 1.56.0 that accepts external message history. This can be done through the web interface, Vercel AI SDK, AG-UI protocol, or a custom API that processes user input. Once the application is set up, send a message with a file attachment containing a URL that points to an internal resource or cloud metadata endpoint. The server will then make a request to the specified URL, bypassing security measures and potentially exposing sensitive information.

Remediation

Users can upgrade to Pydantic AI version 1.56.0 or later, where this vulnerability is fixed. For applications that need to access local network resources, the 'allow-local' option can be used with certain URL types. If an immediate upgrade is not possible, a history processor can be implemented to filter out private URLs before they reach the download function.