CVE-2026-25640 – A path traversal vulnerability in Pydantic AI's... (How to Fix)

📋 TL;DR

A path traversal vulnerability in Pydantic AI's web UI allows attackers to serve malicious JavaScript by crafting URLs with unvalidated version parameters. This enables client-side code execution in victims' browsers, potentially stealing chat history and other data. Only applications using Agent.to_web or CLI web interfaces are affected, typically running locally but possibly deployed remotely.

💻 Affected Systems

Products:

Pydantic AI

Versions: 1.34.0 to 1.50.x

Operating Systems: All platforms running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using Agent.to_web() or CLI web interfaces; standard API usage is not vulnerable.

📦 What is this software?

Pydantic Ai by Pydantic

View all CVEs affecting Pydantic Ai →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of client-side data including chat history, session tokens, and sensitive information entered in the chat interface via malicious JavaScript execution.

🟠

Likely Case

Theft of chat history and client-side data from users who click malicious links or visit compromised interfaces.

🟢

If Mitigated

Limited impact if application runs in isolated environments without sensitive data or user interaction.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting malicious URLs but no authentication; user interaction needed for successful attack.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.51.0

Vendor Advisory: https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-wjp5-868j-wqv7

Restart Required: Yes

Instructions:

1. Update Pydantic AI: pip install --upgrade pydantic-ai==1.51.0
2. Restart any running applications using Pydantic AI web interfaces
3. Verify the update with: pip show pydantic-ai

🔧 Temporary Workarounds

Disable Web Interfaces

all

Temporarily disable Agent.to_web() and CLI web interfaces until patching is possible.

Modify code to remove or comment out Agent.to_web() calls
Avoid using 'pydantic-ai web' CLI command

Network Isolation

all

Restrict access to web interfaces to trusted networks only.

Configure firewall rules to limit access to localhost/trusted IPs
Use reverse proxy with strict URL validation

🧯 If You Can't Patch

Deploy web interfaces only on isolated networks with no internet access
Implement strict input validation at the application layer to sanitize version parameters

🔍 How to Verify

Check if Vulnerable:

Check if using Pydantic AI version 1.34.0-1.50.x AND using Agent.to_web() or CLI web interfaces.

Check Version:

pip show pydantic-ai | grep Version

Verify Fix Applied:

Confirm Pydantic AI version is 1.51.0 or higher and test web interfaces with malicious URL patterns.

📡 Detection & Monitoring

Log Indicators:

Unusual URL patterns with path traversal sequences in version parameters
Requests to unexpected CDN URLs

Network Indicators:

HTTP requests containing '../' or similar sequences in query parameters
Unexpected JavaScript file loads from CDN

SIEM Query:

web.url:*version=*../* OR web.url:*%2e%2e%2f*

📊 Metadata

CVE ID: CVE-2026-25640

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CWE: CWE-22

EPSS Score: 0.01% exploit probability (1.8th percentile)

Published: February 6, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/pydantic/pydantic-ai/releases/tag/v1.51.0 Product,Release Notes
https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-wjp5-868j-wqv7 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25640, you might also want to check these: