Pydantic AI — SSRF Cloud-Metadata Blocklist Bypass via IPv6
AI relevance: Pydantic AI is an agentic framework where tool calls and web-fetch capabilities can issue outbound HTTP requests; an SSRF bypass in its allow-local URL filter lets attackers reach internal services and cloud metadata from within AI agent tool execution.
- CVE-2026-46678 is an incomplete fix for the original GHSA-2jrp-274c-jhv3 / CVE-2026-25580 SSRF blocklist bypass in Pydantic AI.
- The bypass uses IPv6 transition-encoded address forms (e.g.,
::ffff:127.0.0.1) that evade the library's RFC 1918 and loopback blocklists. - The attack requires the application to explicitly opt into
allow-localon a URL influenced by untrusted input, giving it a CVSS access-complexity rating of High. - Pydantic AI agents use HTTP tool calls for web browsing, API integration, and RAG — any path where user-controlled URLs flow into outbound requests is potentially exploitable.
- This follows a well-worn pattern: IP address blocklists in SSRF defenses are routinely bypassed via decimal encoding, IPv6, Unicode domains, or DNS rebinding.
- The narrow attack surface (
AC:H) means exploitation requires specific configuration, but the prevalence ofallow-localin AI tool integrations keeps this relevant.
Why it matters
SSRF blocklist bypasses are a cat-and-mouse game with no winning defense on the application side. AI agent frameworks compound the risk because they inherently route user-influenced data into HTTP tool calls. IPv6 bypasses specifically highlight that naive IP-range filtering is insufficient — any SSRF defense needs protocol-aware address normalization.
What to do
- Avoid
allow-localunless your use case requires local access — and if it does, implement strict allowlist-based domain filtering instead of blocklists. - Use an HTTP proxy with egress policy enforcement (deny RFC 1918, IPv6-mapped IPv4, and cloud IMDS ranges) as a second control layer.
- Update Pydantic AI to the latest patched version.