CVE-2026-25580 – This SSRF vulnerability in Pydantic AI allows a... (How to Fix)

📋 TL;DR

This SSRF vulnerability in Pydantic AI allows attackers to make the server request internal network resources when applications accept message history from untrusted sources. Only applications that accept external user message history are affected. Attackers could potentially access internal services or cloud credentials.

💻 Affected Systems

Products:

Pydantic AI

Versions: 0.0.26 to 1.55.x

Operating Systems: All platforms running Python

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when applications accept message history from external/untrusted sources. Applications not processing external message history are not affected.

📦 What is this software?

Pydantic Ai by Pydantic

View all CVEs affecting Pydantic Ai →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of internal network services, access to cloud metadata services exposing credentials, and lateral movement within internal infrastructure.

🟠

Likely Case

Information disclosure from internal services, enumeration of internal network resources, and potential access to cloud instance metadata.

🟢

If Mitigated

Limited to external network access only, with proper input validation and network segmentation preventing internal resource access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the application to accept message history from untrusted sources. Simple URL injection can trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.56.0

Vendor Advisory: https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3

Restart Required: Yes

Instructions:

1. Update Pydantic AI to version 1.56.0 or later using pip: pip install --upgrade pydantic-ai>=1.56.0
2. Restart all affected applications
3. Verify the update was successful

🔧 Temporary Workarounds

Input Validation and URL Filtering

all

Implement strict input validation to reject or sanitize URLs in message history from untrusted sources

Network Segmentation

all

Restrict outbound network access from affected servers to prevent internal resource access

🧯 If You Can't Patch

Implement strict input validation to reject URLs in message history from untrusted sources
Deploy network controls to restrict outbound HTTP requests from affected servers

🔍 How to Verify

Check if Vulnerable:

Check if your application uses Pydantic AI and accepts message history from external users. Review code for URL processing in message handling.

Check Version:

python -c "import pydantic_ai; print(pydantic_ai.__version__)"

Verify Fix Applied:

Verify Pydantic AI version is 1.56.0 or higher and test that malicious URLs in message history no longer trigger internal requests

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from application servers to internal IP ranges
Requests to cloud metadata endpoints (169.254.169.254, etc.)

Network Indicators:

HTTP requests from application servers to internal/private IP ranges
Requests to known cloud metadata services

SIEM Query:

source="application_logs" AND (url_contains="internal" OR dest_ip=private_ip_range OR dest_ip="169.254.169.254")

📊 Metadata

CVE ID: CVE-2026-25580

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-918

EPSS Score: 0.02% exploit probability (2.6th percentile)

Published: February 6, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301 Patch
https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3 Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25580, you might also want to check these: