CVE-2026-25580 Overview
CVE-2026-25580 is a Server-Side Request Forgery (SSRF) vulnerability affecting Pydantic AI, a Python agent framework used for building applications and workflows with Generative AI. The vulnerability exists in Pydantic AI's URL download functionality and affects versions from 0.0.26 to before 1.56.0. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials.
Critical Impact
Attackers can exploit this SSRF vulnerability to access internal network resources, cloud metadata services, and sensitive credentials by manipulating URL download requests through untrusted message history inputs.
Affected Products
- Pydantic AI versions >= 0.0.26 and < 1.56.0
- Applications accepting message history from untrusted external sources
- Systems using Pydantic AI's URL download functionality with FileUrl processing
Discovery Timeline
- 2026-02-06 - CVE CVE-2026-25580 published to NVD
- 2026-02-06 - Last updated in NVD database
Technical Details for CVE-2026-25580
Vulnerability Analysis
The SSRF vulnerability (CWE-918) in Pydantic AI stems from insufficient validation of URLs processed through the framework's download functionality. When an application built with Pydantic AI accepts message history from external users, the framework processes FileUrl objects contained within those messages. Prior to the patch, these URLs were not adequately validated for SSRF attacks, allowing attackers to craft malicious URLs targeting internal network resources.
The vulnerability is particularly dangerous in AI agent applications where message history may be loaded from external sources, such as conversation logs, user-provided context, or third-party integrations. An attacker could inject a malicious URL pointing to internal services (e.g., http://192.168.1.1/admin) or cloud metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/) within the message history, causing the server to make unauthorized requests to these resources.
Root Cause
The root cause of this vulnerability is the lack of SSRF protection mechanisms in the URL download functionality. The original implementation did not:
- Validate URL protocols (allowing non-HTTP schemes)
- Block private/internal IP address ranges (RFC 1918 addresses)
- Prevent access to cloud metadata endpoints (169.254.169.254)
- Resolve hostnames before making requests to prevent DNS rebinding attacks
This allowed attackers to bypass network boundaries by submitting URLs that resolve to internal addresses after the application processes them.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying an application using Pydantic AI that accepts message history from external sources
- Crafting a malicious message history payload containing FileUrl objects pointing to internal resources
- Submitting the payload to the vulnerable application
- The server processes the malicious URLs and makes requests to internal network resources
- Sensitive data from internal services or cloud credentials is returned to the attacker
# Security patch introducing SSRF protection in messages.py
# Source: https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301
]
"""Reason the model finished generating the response, normalized to OpenTelemetry values."""
+ForceDownloadMode: TypeAlias = bool | Literal['allow-local']
+"""Type for the force_download parameter on FileUrl subclasses.
+
+- `False`: The URL is sent directly to providers that support it. For providers that don't,
+ the file is downloaded with SSRF protection (blocks private IPs and cloud metadata).
+- `True`: The file is always downloaded with SSRF protection (blocks private IPs and cloud metadata).
+- `'allow-local'`: The file is always downloaded, allowing private IPs but still blocking cloud metadata.
+
+"""
ProviderDetailsDelta: TypeAlias = dict[str, Any] | Callable[[dict[str, Any] | None], dict[str, Any]] | None
"""Type for provider_details input: can be a static dict, a callback to update existing details, or None."""
Source: GitHub Commit Change
# Updated download function with SSRF protection documentation
# Source: https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301
) -> DownloadedItem[str] | DownloadedItem[bytes]:
"""Download an item by URL and return the content as a bytes object or a (base64-encoded) string.
+ This function includes SSRF (Server-Side Request Forgery) protection:
+ - Only http:// and https:// protocols are allowed
+ - Private/internal IP addresses are blocked by default
+ - Cloud metadata endpoints (169.254.169.254) are always blocked
+ - Hostnames are resolved before requests to prevent DNS rebinding
+ Set `item.force_download='allow-local'` to allow private IP addresses.
Args:
item: The item to download.
data_format: The format to return the content in:
Source: GitHub Commit Change
Detection Methods for CVE-2026-25580
Indicators of Compromise
- Outbound HTTP requests from application servers to internal IP ranges (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x)
- HTTP requests targeting cloud metadata endpoints (169.254.169.254)
- Unusual network traffic patterns from Pydantic AI application processes to internal services
- Log entries showing URL downloads with private IP addresses or localhost references
Detection Strategies
- Monitor application logs for URL download requests containing private IP addresses or cloud metadata URLs
- Implement network-level monitoring for outbound requests from application servers to internal IP ranges
- Deploy web application firewall (WAF) rules to detect SSRF attack patterns in request payloads
- Review message history inputs for suspicious URL patterns before processing
Monitoring Recommendations
- Enable verbose logging for Pydantic AI's URL download functionality to capture all processed URLs
- Set up alerts for network requests from application servers to RFC 1918 address spaces
- Monitor for DNS queries resolving to internal IP addresses from public-facing applications
- Implement anomaly detection for unusual outbound request patterns from AI agent applications
How to Mitigate CVE-2026-25580
Immediate Actions Required
- Upgrade Pydantic AI to version 1.56.0 or later immediately
- Audit all applications using Pydantic AI that accept message history from external sources
- Implement network segmentation to limit potential SSRF impact
- Review and validate all external inputs before passing to Pydantic AI message processing
Patch Information
The vulnerability has been addressed in Pydantic AI version 1.56.0. The fix introduces comprehensive SSRF protection including protocol validation (HTTP/HTTPS only), private IP address blocking, cloud metadata endpoint blocking, and DNS rebinding prevention. For detailed information about the security fix, refer to the GitHub Security Advisory and the security patch commit.
Workarounds
- If immediate upgrade is not possible, implement input validation to sanitize URLs in message history before processing
- Deploy network-level controls to block outbound requests from application servers to internal IP ranges
- Use the force_download='allow-local' parameter only when explicitly required and in trusted environments
- Consider implementing an allowlist of permitted URL domains for file downloads
# Configuration example - Upgrade Pydantic AI to patched version
pip install --upgrade pydantic-ai>=1.56.0
# Verify installed version
pip show pydantic-ai | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
