Pydantic AI is a Python framework that facilitates building applications and workflows with Generative AI, including a web-based chat UI served via Agent.to_web or the CLI tool clai web. Versions from 1.34.0 up to but not including 1.51.0 contain a path traversal vulnerability (CWE-22) in the construction of the CDN URL used to load JavaScript resources for the chat interface. The vulnerability arises because the version query parameter in the request URL is not properly validated or sanitized, allowing an attacker to inject path traversal sequences (e.g., '../') that cause the server to fetch and serve arbitrary HTML/JavaScript files from the same CDN but outside the intended directory. This enables an attacker to execute arbitrary JavaScript in the victim’s browser context (CWE-79), effectively a stored cross-site scripting attack. Exploitation requires the victim to click a crafted URL or load it in an iframe, leading to execution of attacker-controlled scripts that can steal sensitive client-side data such as chat history. The vulnerability affects both local deployments (commonly on localhost) and potentially remote deployments if the interface is exposed externally. The flaw does not require any authentication or elevated privileges, and the attack complexity is low. The vulnerability was publicly disclosed and assigned CVE-2026-25640 with a CVSS 3.1 score of 7.1, indicating high severity. No known exploits are currently reported in the wild. The issue is resolved in pydantic-ai version 1.51.0 by properly validating and sanitizing the version parameter to prevent path traversal.

For European organizations using pydantic-ai to deploy Generative AI chat interfaces, this vulnerability poses a significant risk of client-side data compromise. Attackers can steal sensitive chat histories and potentially other browser-stored information, leading to confidentiality breaches. Organizations deploying these interfaces on remote servers face increased risk of targeted attacks, especially if the interface is publicly accessible. The attack can facilitate further social engineering or lateral movement by exposing user interactions and data. Given the growing adoption of AI frameworks in Europe’s tech and research sectors, exploitation could impact intellectual property and user privacy. The vulnerability undermines trust in AI-powered applications and may lead to regulatory repercussions under GDPR if personal data is exposed. Although exploitation requires user interaction, phishing campaigns leveraging this vulnerability could be effective. The lack of known exploits in the wild suggests a window for proactive mitigation. Overall, the impact on confidentiality is high, with limited integrity and availability impact.

European organizations should immediately upgrade all pydantic-ai deployments to version 1.51.0 or later to eliminate the vulnerability. For environments where immediate upgrade is not feasible, implement strict input validation and sanitization on the version query parameter at the web server or application proxy level to block path traversal sequences. Restrict access to the chat interface to trusted internal networks or VPNs to reduce exposure. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. Educate users to avoid clicking suspicious links and monitor for phishing attempts leveraging this vulnerability. Conduct regular security audits and penetration tests focusing on web UI components of AI frameworks. Implement logging and alerting for unusual URL requests containing path traversal patterns. Finally, review deployment architectures to minimize exposure of local interfaces on public networks.