Base Score

LOW3.7

CVE-2025-48985

A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass filetype whitelists when uploading files. All users are encouraged to upgrade. More details: https://vercel.com/changelog/cve-2025-48985-input-validation-bypass-on-ai-sdk

VectorNETWORK

Published Bysupport@hackerone.com

Published DateNov 07, 2025, 01:15

Affected Versions(2)

ai(npm)

Introduced0

Fixed5.0.52

LimitN/A

ai(npm)

Introduced5.1.0-beta.0

Fixed5.1.0-beta.9

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
ai(npm)	0	5.0.52	N/A
ai(npm)	5.1.0-beta.0	5.1.0-beta.9	N/A

Weakness Type (CWE):CWE-20

CVSS Metrics

Base Score

3.7

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Base Severity

LOW

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

LOW

Availability (A)

NONE

References

Base Score

LOW3.7

Weakness Type (CWE):CWE-20

CVSS Metrics

Base Score

3.7

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Base Severity

LOW

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

LOW

Availability (A)

NONE