Vulnerability	Vulnerable Version
M Server-side Request Forgery (SSRF) pydantic-ai-slim is an Agent Framework / shim to use Pydantic with LLMs, slim package Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via incomplete blocklist in `is_private_ip` function when `force_download='allow-local'` is enabled. An attacker can access sensitive cloud metadata information by submitting a specially crafted URL containing an IPv4-mapped IPv6, 6to4, or NAT64 encoded address that bypasses the intended blocklist. This is only exploitable if the application explicitly opts for `FileUrl` (I`mageUrl`, `AudioUrl`, `VideoUrl`, `DocumentUrl`) in `force_download='allow-local'` on a URL that is, or could be, influenced by untrusted input. Note: This issue is due to incomplete fix for CVE-2026-25580. How to fix Server-side Request Forgery (SSRF)? Upgrade `pydantic-ai-slim` to version 1.99.0 or higher.	[1.56.0,1.99.0)

Server-side Request Forgery (SSRF)

pydantic-ai-slim is an Agent Framework / shim to use Pydantic with LLMs, slim package

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via incomplete blocklist in is_private_ip function when force_download='allow-local' is enabled. An attacker can access sensitive cloud metadata information by submitting a specially crafted URL containing an IPv4-mapped IPv6, 6to4, or NAT64 encoded address that bypasses the intended blocklist. This is only exploitable if the application explicitly opts for FileUrl (ImageUrl, AudioUrl, VideoUrl, DocumentUrl) in force_download='allow-local' on a URL that is, or could be, influenced by untrusted input.

Note:

This issue is due to incomplete fix for CVE-2026-25580.

How to fix Server-side Request Forgery (SSRF)?

Upgrade pydantic-ai-slim to version 1.99.0 or higher.

[1.56.0,1.99.0)

Go back to all versions of this package