python · pydantic-ai-slimHeads-up

pydantic-ai-slim SSRF bypass via IPv6 transition forms

SSRF protection for cloud metadata endpoints did not decode IPv6 transition forms (IPv4-compatible IPv6, NAT64 prefixes, ISATAP, Teredo), allowing bypass of the

27 Jun 2026Read 1 minSeverity: schedule it

What changed

SSRF protection for cloud metadata endpoints did not decode IPv6 transition forms (IPv4-compatible IPv6, NAT64 prefixes, ISATAP, Teredo), allowing bypass of the metadata blocklist when force_download='allow-local' is used on networks that route these forms.

Who it affects

Applications using pydantic-ai or pydantic-ai-slim >=1.56.0, <1.102.0 or >=2.0.0b1, <2.0.0b3 that set force_download='allow-local' on a FileUrl from untrusted input, on a NAT64 or ISATAP network.

What to do today

Upgrade to pydantic-ai-slim 1.102.0 or later (or 2.0.0b3 or later on the 2.0 pre-release line).

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · pydantic-ai-slim

pydantic-ai-slim SSRF bypass via IPv6 transition forms

What changed

Who it affects

What to do today

More on pydantic-ai-slim

nono-py: Missing proxy-only enforcement fallback on kernels without Landlock network support

nono-py: Empty allowed_hosts now denies all hosts by default