CVE-2025-48985

Published: Nov 7, 2025

Modified: Dec 1, 2025

PUBLISHED

CVSS v3.1

3.7

LOW

Description

A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass filetype whitelists when uploading files. All users are encouraged to upgrade. More details: https://vercel.com/changelog/cve-2025-48985-input-validation-bypass-on-ai-sdk

Vendor	Product	Versions
Vercel	AI SDK	affected `5.0.51 - <= 5.0.51` unaffected `6.0.0-beta.* - < 6.0.0-beta.*` affected `5.1.0-beta.8 - <= 5.1.0-beta.8` unaffected `5.1.0-beta.9 - < 5.1.0-beta.9` unaffected `5.0.52 - < 5.0.52`

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/vercel/ai/commit/930399bb9839a8baf3d349614106d78268775eed

https://vercel.com/changelog/cve-2025-48985-input-validation-bypass-on-ai-sdk

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-48985

Description

Affected Products

CVSS v3.1 Details

References