Platform
python
Component
pydantic-ai
Fixed in
0.0.27
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Pydantic AI, a Python agent framework. This flaw, present in versions 0.0.26 through 1.55.9, allows attackers to manipulate the application into making HTTP requests to internal network resources. The vulnerability is triggered when applications accept message history from untrusted sources, enabling attackers to inject malicious URLs and potentially compromise internal services or access sensitive data.
The SSRF vulnerability in Pydantic AI poses a significant risk to applications that handle user-provided message history. An attacker could craft a malicious URL within this history, causing the Pydantic AI server to send HTTP requests to internal systems. This could lead to unauthorized access to internal APIs, databases, or cloud credentials. The blast radius extends to any internal resource accessible via HTTP, potentially exposing sensitive information or enabling further attacks. Successful exploitation could allow an attacker to map the internal network, identify vulnerable services, and potentially escalate privileges.
This vulnerability was publicly disclosed on 2026-02-06. While no public proof-of-concept (PoC) has been released, the SSRF nature of the vulnerability makes it relatively easy to exploit. The EPSS score is likely to be medium, indicating a moderate probability of exploitation. Monitor for any reports of exploitation attempts and apply the recommended mitigation as soon as possible.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25580 is to upgrade Pydantic AI to version 1.56.0 or later, which includes a fix for the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing input validation on message history to sanitize URLs and prevent the inclusion of malicious content. Additionally, restrict network access for the Pydantic AI server to only the necessary resources. Web Application Firewalls (WAFs) configured to block suspicious URL patterns can provide an additional layer of defense. After upgrading, confirm the fix by attempting to inject a known malicious URL into message history and verifying that the server does not make an unauthorized request.
Update the pydantic-ai library to version 1.56.0 or higher. This corrects the SSRF vulnerability in URL download handling. Ensure that the application does not accept message history from untrusted sources to mitigate the risk.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25580 is a Server-Side Request Forgery (SSRF) vulnerability in Pydantic AI versions 0.0.26 through 1.55.9, allowing attackers to access internal resources via malicious URLs.
You are affected if you are using Pydantic AI versions 0.0.26 through 1.55.9 and your application accepts message history from external, untrusted sources.
Upgrade Pydantic AI to version 1.56.0 or later. Implement input validation on message history as a temporary workaround.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability suggests a moderate probability of exploitation.
Refer to the Pydantic AI security advisories on their official website or GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.