Input Validation Bypass in Vercel AI SDK
CVE-2025-48985

3.7LOW

Key Information:

Vendor: Vercel
Status: Ai Sdk
Vendor: CVE Published:; 7 November 2025

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2025-48985?

A vulnerability exists in Vercel’s AI SDK that may enable attackers to bypass filetype whitelists during file uploads. This flaw could potentially allow unauthorized file uploads, leading to security risks for affected systems. Users are strongly advised to upgrade to the newly released versions 5.0.52, 5.1.0-beta.9, or 6.0.0-beta to mitigate this threat and secure their applications. For comprehensive information about this issue, please refer to the Vercel changelog.

Affected Version(s)

AI SDK 5.0.51

AI SDK 5.1.0-beta.8

AI SDK 6.0.0-beta.*

News Articles

wiz.io

CVE-2025-48985

CVE-2025-48985 Impact, Exploitability, and Mitigation Steps | Wiz

Understand the critical aspects of CVE-2025-48985 with a detailed vulnerability assessment, exploitation potential, affected technologies, and remediation guidance.

2 weeks ago

References

https://github.com/vercel/ai/commit/930399bb9839a8baf3d34...

https://vercel.com/changelog/cve-2025-48985-input-validat...

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Nov 11, 2025
📰
First article discovered by wiz.io
Nov 11, 2025
Vulnerability published
Nov 7, 2025
Vulnerability Reserved
May 29, 2025

JSON