Description
A vulnerability was determined in vercel ai up to 3.0.97. The impacted element is the function createJsonResponseHandler/createJsonErrorResponseHandler of the file packages/provider-utils/src/response-handler.ts of the component provider-utils. This manipulation causes resource consumption. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-17
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability affects the createJsonResponseHandler and createJsonErrorResponseHandler functions in Vercel AI's provider-utils module, allowing attackers to supply crafted JSON responses that trigger excessive allocation and processing of resources. The resulting uncontrolled consumption can degrade system performance or cause a denial of service, as identified by CWE‑400 and CWE‑404.

Affected Systems

The issue exists in Vercel AI versions up to and including 3.0.97. All installations of Vercel AI, specifically the provider-utils component, are potentially affected.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS score is available, so the current likelihood of exploitation cannot be quantified. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. The description indicates the exploit can be initiated remotely, meaning attackers could trigger the resource consumption by sending crafted requests. No additional exploitation conditions are stated.

Generated by OpenCVE AI on May 18, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vercel AI to a patched release (version 3.0.98 or later) that addresses the response-handler flaw.
  • If an upgrade is not immediately possible, implement request throttling or rate limiting on incoming JSON responses to limit potential resource consumption.
  • Validate or configure the JSON processing to enforce maximum size limits and reject excessively large or malformed responses.
  • Monitor system metrics and logs for abnormal resource usage that could indicate exploitation attempts.

Generated by OpenCVE AI on May 18, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 23:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in vercel ai up to 3.0.97. The impacted element is the function createJsonResponseHandler/createJsonErrorResponseHandler of the file packages/provider-utils/src/response-handler.ts of the component provider-utils. This manipulation causes resource consumption. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title vercel ai provider-utils response-handler.ts createJsonErrorResponseHandler resource consumption
First Time appeared Vercel
Vercel ai
Weaknesses CWE-400
CWE-404
CPEs cpe:2.3:a:vercel:ai:*:*:*:*:*:*:*:*
Vendors & Products Vercel
Vercel ai
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Vercel Ai
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-17T23:00:13.988Z

Reserved: 2026-05-17T09:28:09.002Z

Link: CVE-2026-8769

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T23:17:03.180

Modified: 2026-05-17T23:17:03.180

Link: CVE-2026-8769

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T00:30:13Z

Weaknesses