ai is vulnerable to Server-Side Request Forgery (SSRF)
66
Medium Risk
The download helper in the top-level ai package fetches user-provided URLs without restricting protocol, hostname, or destination IP. The fix calls a new validateDownloadUrl utility that rejects non-HTTP(S) schemes, loopback, link-local, and private IPv4 and IPv6 ranges before the request is issued. The fix also validates the URL after redirects.
You are affected if you are using a version that falls within the vulnerable range.
ai is vulnerable to Server-Side Request Forgery (SSRF) in versions 0.0.1 - 6.0.117.
Upgrade the ai library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant