fix(security): add URL validation to prevent SSRF in download functions

[gr2m]

Background

The downloadBlob function (@ai-sdk/provider-utils) and download function (ai) fetch user-provided URLs without any validation. When users pass image URLs to generateImage(), strings starting with "http" flow directly to fetch() via downloadBlob(file.url) in OpenAI, OpenAI-compatible, and DeepInfra image models. This enables blind SSRF — attackers can make the server request internal resources (localhost, cloud metadata endpoints like 169.254.169.254, private IPs).

Summary

Added a shared validateDownloadUrl utility in @ai-sdk/provider-utils that both downloadBlob and download call before fetch. It throws DownloadError if the URL is unsafe:

• Protocol — only http: and https: allowed
• Hostname — blocks localhost, *.local, *.localhost, empty hostname
• IPv4 — blocks private ranges: 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, 0.0.0.0/8
• IPv6 — blocks ::1, fc00::/7, fe80::/10, ::, and IPv4-mapped addresses (::ffff:x.x.x.x)

No DNS resolution checks (not available in edge runtimes). Reuses DownloadError for rejected URLs.

Manual Verification

• Ran pnpm vitest run src/validate-download-url.test.ts in packages/provider-utils — 29 tests pass
• Ran pnpm vitest run src/download-blob.test.ts in packages/provider-utils — 13 tests pass
• Ran pnpm vitest run src/util/download/download.test.ts in packages/ai — 7 tests pass

Checklist

• Tests have been added / updated (for bug fixes / features)
• Documentation has been added / updated (for bug fixes / features)
• A patch changeset for relevant packages has been added (for bug fixes / features - run pnpm changeset in the project root)
• I have reviewed this pull request (self-review)

Future Work

• DNS rebinding protection could be added if a DNS resolution API becomes available in edge runtimes
• Consider making the blocklist configurable for users who need to access private networks intentionally

[vercel-ai-sdk]

⚠️ Backport to release-v5.0 created but has conflicts: #13086

[vercel-ai-sdk]

🚀 Published in:

Package	Version
ai	6.0.116
@ai-sdk/alibaba	1.0.10
@ai-sdk/amazon-bedrock	4.0.77
@ai-sdk/angular	2.0.117
@ai-sdk/anthropic	3.0.58
@ai-sdk/assemblyai	2.0.24
@ai-sdk/azure	3.0.42
@ai-sdk/baseten	1.0.38
@ai-sdk/black-forest-labs	1.0.24
@ai-sdk/bytedance	1.0.4
@ai-sdk/cerebras	2.0.39
@ai-sdk/cohere	3.0.25
@ai-sdk/deepgram	2.0.24
@ai-sdk/deepinfra	2.0.39
@ai-sdk/deepseek	2.0.24
@ai-sdk/elevenlabs	2.0.24
@ai-sdk/fal	2.0.25
@ai-sdk/fireworks	2.0.40
@ai-sdk/gateway	3.0.66
@ai-sdk/gladia	2.0.24
@ai-sdk/google	3.0.42
@ai-sdk/google-vertex	4.0.79
@ai-sdk/groq	3.0.29
@ai-sdk/huggingface	1.0.37
@ai-sdk/hume	2.0.24
@ai-sdk/klingai	3.0.8
@ai-sdk/langchain	2.0.122
@ai-sdk/llamaindex	2.0.116
@ai-sdk/lmnt	2.0.24
@ai-sdk/luma	2.0.24
@ai-sdk/mcp	1.0.25
@ai-sdk/mistral	3.0.24
@ai-sdk/moonshotai	2.0.10
@ai-sdk/open-responses	1.0.6
@ai-sdk/openai	3.0.41
@ai-sdk/openai-compatible	2.0.35
@ai-sdk/perplexity	3.0.23
@ai-sdk/prodia	1.0.21
@ai-sdk/provider-utils	4.0.19
@ai-sdk/react	3.0.118
@ai-sdk/replicate	2.0.24
@ai-sdk/revai	2.0.24
@ai-sdk/rsc	2.0.116
@ai-sdk/svelte	4.0.116
@ai-sdk/togetherai	2.0.39
@ai-sdk/valibot	2.0.20
@ai-sdk/vercel	2.0.37
@ai-sdk/vue	3.0.116
@ai-sdk/xai	3.0.67