CVE-2025-48985

Summary

A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass filetype whitelists when uploading files. All users are encouraged to upgrade.

More details: https://vercel.com/changelog/cve-2025-48985-input-validation-bypass-on-ai-sdk

Affected Software

VendorProductVersion RangeStatus
VercelAI SDK5.0.51 <= 5.0.51affected
VercelAI SDK6.0.0-beta.* < 6.0.0-beta.*unaffected
VercelAI SDK5.1.0-beta.8 <= 5.1.0-beta.8affected
VercelAI SDK5.1.0-beta.9 < 5.1.0-beta.9unaffected
VercelAI SDK5.0.52 < 5.0.52unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References