Impact
The vulnerability allows an application using pydantic‑ai to bypass the cloud‑metadata blocklist by encoding a metadata IP in IPv6 transition forms such as IPv4‑compatible, SIIT/IVI, and local NAT64. This bypass enables the application to reach the internal cloud metadata endpoint and retrieve short‑term IAM credentials, which threatens confidentiality and affects the integrity of any services that use those credentials. The flaw is a Server‑Side Request Forgery identified as CWE‑918.
Affected Systems
Products pydantic:pydantic‑ai and pydantic:pydantic‑ai‑slim are affected in versions 1.56.0 through 1.101.0, 2.0.0b1 and 2.0.0b2. The fix is included in version 2.0.0b3. Any deployment of the affected versions that runs on a network employing NAT64, IPv6‑only, or ISATAP tunnels, or that enables force_download='allow-local', is vulnerable.
Risk and Exploitability
The CVSS score is 6.8 and the EPSS probability is below 1%, indicating a moderate severity but with a very low expected exploitation rate. The vulnerability is not listed in the CISA KEV catalog. Exploitation depends on the application enabling force_download='allow-local' and the network routing one of the IPv6 transition forms, which means that typical dual‑stack cloud VMs or containers that do not use these forms are not affected in practice.
OpenCVE Enrichment
Github GHSA