Vercel AI Provider-Utils Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in the Vercel AI SDK, specifically in the '@ai-sdk/provider-utils' package, all versions prior to 3.0.97. The issue arises in the 'validateDownloadUrl' function within 'packages/provider-utils/src/download-blob.ts'. This vulnerability allows remote attackers to bypass URL validation and redirect requests to internal resources, exploiting a time-of-check to time-of-use (TOCTOU) logic error. Although the SDK includes a post-redirect validation step, it occurs too late to prevent the initial request from reaching internal services.

Impact

Exploitation of this vulnerability allows for blind SSRF attacks, where internal network resources can be accessed without authorization. While the response from the internal service cannot be read due to the SDK's error handling, the request has already been processed, potentially triggering state changes or actions on internal microservices or administrative APIs.

Reproduction

To reproduce this vulnerability, upload an image URL that points to an external server controlled by the attacker. The server should respond with a 302 redirect to an internal IP address. The 'fetch' request will follow the redirect, bypassing the SSRF protection and accessing the internal resource.