CVE-2025-48985
published 2025-11-07CVE-2025-48985: A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass filetype…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.24%
14.3th percentile
A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass filetype whitelists when uploading files. All users are encouraged to upgrade.
More details: https://vercel.com/changelog/cve-2025-48985-input-validation-bypass-on-ai-sdk
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | ai | >= 0 < 5.0.52 | 5.0.52 |
| drupal | ai | >= 5.1.0-beta.0 < 5.1.0-beta.9 | 5.1.0-beta.9 |
| vercel | ai | < 5.0.52 | 5.0.52 |
| vercel | ai | — | — |
| vercel | ai_sdk | 5.0.51 – 5.0.51 | — |
| vercel | ai_sdk | 5.1.0-beta.8 – 5.1.0-beta.8 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files
ghsa·2025-11-07
CVE-2025-48985 [LOW] CWE-20 Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files
Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files
A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass filetype whitelists when uploading files. All users are encouraged to upgrade.
OSV
Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files
osv·2025-11-07
CVE-2025-48985 [LOW] Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files
Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files
A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass filetype whitelists when uploading files. All users are encouraged to upgrade.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-07
Published