CVE-2025-48985

Severity CVSS v4.0:

Pending analysis

Type:

CWE-20 Input Validation

Publication date:

07/11/2025

Last modified:

04/02/2026

Description

A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass filetype whitelists when uploading files. All users are encouraged to upgrade.<br /> <br /> More details: https://vercel.com/changelog/cve-2025-48985-input-validation-bypass-on-ai-sdk

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS v3.1 Severity and Metrics:

Base Score: 3.70 LOW
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): Low
Availability (A): None

Base Score 3.x

3.70

Severity 3.x

LOW

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:vercel:ai::::::::		5.0.52 (excluding)
cpe:2.3:a:vercel:ai:5.1.0:beta0::::::
cpe:2.3:a:vercel:ai:5.1.0:beta1::::::
cpe:2.3:a:vercel:ai:5.1.0:beta2::::::
cpe:2.3:a:vercel:ai:5.1.0:beta3::::::
cpe:2.3:a:vercel:ai:5.1.0:beta4::::::
cpe:2.3:a:vercel:ai:5.1.0:beta5::::::
cpe:2.3:a:vercel:ai:5.1.0:beta6::::::
cpe:2.3:a:vercel:ai:5.1.0:beta7::::::
cpe:2.3:a:vercel:ai:5.1.0:beta8::::::

To consult the complete list of CPE names with products and versions, see this page

CPE	From	Up to
cpe:2.3:a:vercel:ai::::::::		5.0.52 (excluding)
cpe:2.3:a:vercel:ai:5.1.0:beta0::::::
cpe:2.3:a:vercel:ai:5.1.0:beta1::::::
cpe:2.3:a:vercel:ai:5.1.0:beta2::::::
cpe:2.3:a:vercel:ai:5.1.0:beta3::::::
cpe:2.3:a:vercel:ai:5.1.0:beta4::::::
cpe:2.3:a:vercel:ai:5.1.0:beta5::::::
cpe:2.3:a:vercel:ai:5.1.0:beta6::::::
cpe:2.3:a:vercel:ai:5.1.0:beta7::::::
cpe:2.3:a:vercel:ai:5.1.0:beta8::::::

CVE-2025-48985

Description

Impact

Vulnerable products and versions

References to Advisories, Solutions, and Tools