ai@4.3.19 vulnerabilities

AI SDK by Vercel - The AI Toolkit for TypeScript and JavaScript

latest version

5.0.108

latest non vulnerable version

6.0.0-beta.137

first published

11 years ago

latest version published

5 hours ago

licenses detected

Apache-2.0
>=0.0.0-02dba89b-20251009204516 <0.0.1; >=2.0.0

View ai package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the ai package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Incorrect Behavior Order ai is an AI SDK by Vercel - The AI Toolkit for TypeScript and JavaScript Affected versions of this package are vulnerable to Incorrect Behavior Order via the `downloadAssets` function. An attacker can upload files with disallowed types by substituting arbitrary downloaded bytes for different supported URLs within the same prompt, thereby bypassing the URL and filetype whitelisting. How to fix Incorrect Behavior Order? Upgrade `ai` to version 5.0.52, 5.1.0-beta.9 or higher.	<5.0.52>=5.1.0-beta.0 <5.1.0-beta.9

Incorrect Behavior Order

ai is an AI SDK by Vercel - The AI Toolkit for TypeScript and JavaScript

Affected versions of this package are vulnerable to Incorrect Behavior Order via the downloadAssets function. An attacker can upload files with disallowed types by substituting arbitrary downloaded bytes for different supported URLs within the same prompt, thereby bypassing the URL and filetype whitelisting.

How to fix Incorrect Behavior Order?

Upgrade ai to version 5.0.52, 5.1.0-beta.9 or higher.

<5.0.52>=5.1.0-beta.0 <5.1.0-beta.9

Go back to all versions of this package