CVE-2026-8769
@ai-sdk/provider-utils has an Uncontrolled Resource Consumption issue
Description
A vulnerability was determined in Vercel AI up to 3.0.97. The impacted element is the function `createJsonResponseHandler/createJsonErrorResponseHandler` of the file `packages/provider-utils/src/response-handler.ts` of the component `provider-utils`. This manipulation causes resource consumption. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
How to fix CVE-2026-8769
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2026-8769 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, <= 3.0.97
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P |
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |