PyPI: pydantic-ai

CVE-2026-25580

Safety vulnerability ID: SFTY-20260206-11963

Safety legacy ID: pyup.io-86124

Affected versions of the pydantic-ai package are vulnerable to Server-Side Request Forgery (SSRF) due to missing validation that downloaded URLs resolve to public internet addresses. The download_item() helper is invoked by URL-backed message parts (for example, ImageUrl, AudioUrl, VideoUrl, and DocumentUrl) and can be reached through integrations such as Agent.to_web, VercelAIAdapter, and Agent.to_ag_ui, allowing user-supplied message history to trigger server-side HTTP requests without blocking localhost, private IP ranges, or cloud metadata endpoints.

PythonPyPINVDNVDGitHubGHSA
Created at: Mar 4, 2026Updated at: Mar 4, 2026

Overview

Pydantic AI has Server-Side Request Forgery (SSRF) in URL Download Handling

Advisory

Affected versions of the pydantic-ai package are vulnerable to Server-Side Request Forgery (SSRF) due to missing validation that downloaded URLs resolve to public internet addresses. The download_item() helper is invoked by URL-backed message parts (for example, ImageUrl, AudioUrl, VideoUrl, and DocumentUrl) and can be reached through integrations such as Agent.to_web, VercelAIAdapter, and Agent.to_ag_ui, allowing user-supplied message history to trigger server-side HTTP requests without blocking localhost, private IP ranges, or cloud metadata endpoints.

Affected Package

Affecting pydantic-ai package, versions
>=0.0.26,<1.56.0

Also affects

---

How to Fix

Upgrade
pydantic-ai
to
1.56.0
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more