AIKIDO-2026-11000
ai is vulnerable to Prompt Injection
64
Medium Risk
This Affects:
aiTL;DR
The standardizePrompt helper in the ai package previously accepted system-role entries inside the caller-supplied messages and prompt arrays used by generateText, streamText, generateObject, streamObject, and streamUI. Applications that forward end-user input directly into those arrays let an attacker inject a system message that overrides the developer's system instructions. The pre-fix behavior accepted system messages silently with no warning or rejection. The fix introduces an allowSystemInMessages option that warns by default when system messages appear in those fields and lets the application explicitly opt in to throw InvalidPromptError or preserve the legacy permissive behavior.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
ai is vulnerable to Prompt Injection in versions 0.0.1 - 6.0.169.
How to fix this
Upgrade the ai library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant