@ai-sdk/provider-utils 5.0.0-canary.38

Direct Vulnerabilities

Known vulnerabilities in the @ai-sdk/provider-utils package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Allocation of Resources Without Limits or Throttling Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in various `respons.text()` invocations in `response-handler.ts`, which accept and buffer arbitrarily long request strings. Functions like `createJsonResponseHandler()` and `createJsonErrorResponseHandler()` perform these unbounded calls, without recourse to protections afforded by higher level JSON handling APIs. An attacker who can convince a client to connect to a malicious server can trigger an out of memory failure. How to fix Allocation of Resources Without Limits or Throttling? There is no fixed version for `@ai-sdk/provider-utils`.	*
M Server-side Request Forgery (SSRF) Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the order of operations in the `validateDownloadUrl()` implementation in `download-blob.ts` and `download.ts`. The `fetch()` operation called before applying `validateDownloadUrl()` follows redirects by default. This open redirect response is blocked by the SSRF protection such that it never makes it back to the application or the attacker, but the request made to the redirect target may still succeed, allowing operations on or disruption of internal resources. How to fix Server-side Request Forgery (SSRF)? There is no fixed version for `@ai-sdk/provider-utils`.	*

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in various respons.text() invocations in response-handler.ts, which accept and buffer arbitrarily long request strings. Functions like createJsonResponseHandler() and createJsonErrorResponseHandler() perform these unbounded calls, without recourse to protections afforded by higher level JSON handling APIs. An attacker who can convince a client to connect to a malicious server can trigger an out of memory failure.

How to fix Allocation of Resources Without Limits or Throttling?

There is no fixed version for @ai-sdk/provider-utils.

Server-side Request Forgery (SSRF)

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the order of operations in the validateDownloadUrl() implementation in download-blob.ts and download.ts. The fetch() operation called before applying validateDownloadUrl() follows redirects by default. This open redirect response is blocked by the SSRF protection such that it never makes it back to the application or the attacker, but the request made to the redirect target may still succeed, allowing operations on or disruption of internal resources.

How to fix Server-side Request Forgery (SSRF)?

There is no fixed version for @ai-sdk/provider-utils.

@ai-sdk/provider-utils@5.0.0-canary.38

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically