CVE-2025-48985

🗓️ 07 Nov 2025 00:43:28Reported by hackeroneType

cve🔗 web.nvd.nist.gov📰️ 3 Media mentions👁 45 Views

Vercel AI SDK allows file upload bypass; fixed in 5.0.52, 5.1.0-beta.9, 6.0.0-beta.

Reporter	Title	Published	Views	Family All 28
IBM Security Bulletins	Security Bulletin: Vulnerabilities in ai-5.0.26.tgz affecting MongoDB Enterprised Advanced (CVE-2025-48985)	24 Feb 202619:19	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Watsonx BI Assistant for CP4D	24 Mar 202621:49	–	ibm
Chainguard	CVE-2025-48985 vulnerabilities	7 Jan 202601:30	–	cgr
Circl	CVE-2025-48985	7 Nov 202502:28	–	circl
CNNVD	AI SDK 安全漏洞	7 Nov 202500:00	–	cnnvd
Cvelist	CVE-2025-48985	7 Nov 202500:43	–	cvelist
EUVD	EUVD-2025-38188	7 Nov 202503:30	–	euvd
Github Security Blog	Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files	7 Nov 202503:30	–	github
NVD	CVE-2025-48985	7 Nov 202501:15	–	nvd
OSV	CGA-QRXC-26QF-C7F4	29 Jan 202600:49	–	osv

NVD

Node

vercel aiRange<5.0.52

vercel aiMatch5.1.0beta0

vercel aiMatch5.1.0beta1

vercel aiMatch5.1.0beta2

vercel aiMatch5.1.0beta3

vercel aiMatch5.1.0beta4

vercel aiMatch5.1.0beta5

vercel aiMatch5.1.0beta6

vercel aiMatch5.1.0beta7

vercel aiMatch5.1.0beta8

[
  {
    "vendor": "Vercel",
    "product": "AI SDK",
    "versions": [
      {
        "version": "5.0.51",
        "status": "affected",
        "lessThanOrEqual": "5.0.51",
        "versionType": "semver"
      },
      {
        "version": "6.0.0-beta.*",
        "status": "unaffected",
        "lessThan": "6.0.0-beta.*",
        "versionType": "semver"
      },
      {
        "version": "5.1.0-beta.8",
        "status": "affected",
        "lessThanOrEqual": "5.1.0-beta.8",
        "versionType": "semver"
      },
      {
        "version": "5.1.0-beta.9",
        "status": "unaffected",
        "lessThan": "5.1.0-beta.9",
        "versionType": "semver"
      },
      {
        "version": "5.0.52",
        "status": "unaffected",
        "lessThan": "5.0.52",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
vercel	www.vercel.com/changelog/cve-2025-48985-input-validation-bypass-on-ai-sdk
github	www.github.com/vercel/ai/commit/930399bb9839a8baf3d349614106d78268775eed

04 Feb 2026 21:11Current

6.5Medium risk

Vulners AI Score6.5

CVSS 3.13.7 - 5.3

EPSS0.00083

SSVC

CWE-20