pydantic-ai

v1.100.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 14d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

agent-framework genai llm pydantic python

Affected surfaces

rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 13d

pydantic-ai v1.100.0 patches SSRF bypass via IPv6-encoded addresses in URL validation and deprecates four API patterns (gateway/gemini prefix, StreamedResponse.usage(), positional evals construction, evaluation attributes) ahead of v2.

Why it matters: SSRF fix closes cloud-metadata blocklist bypass; patch immediately if relying on SSRF protection. Four deprecations signal v2 breaking changes—audit usage in dev, plan migrations before major version bump.

Summary

AI summary

Updates 🛡️ Security, new: V2 Preparation, and 🚀 Features across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Normalize IPv6 transition forms in URL validation to prevent SSRF cloud-metadata blocklist bypass via IPv6-encoded address forms. Normalize IPv6 transition forms in URL validation to prevent SSRF cloud-metadata blocklist bypass via IPv6-encoded address forms. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Feature	Medium	Support Bedrock native JSON output and strict tool calls. Support Bedrock native JSON output and strict tool calls. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Deprecation
Deprecation	Medium	Deprecate `gateway/gemini:` prefix, use `gateway/google-cloud:` instead. Deprecate `gateway/gemini:` prefix, use `gateway/google-cloud:` instead. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Deprecation	Medium	Deprecate method-style `StreamedResponse.usage()`, raise on region-less Gateway API keys. Deprecate method-style `StreamedResponse.usage()`, raise on region-less Gateway API keys. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Deprecation	Medium	Deprecate positional construction of evals classes ahead of v2 keyword-only flip. Deprecate positional construction of evals classes ahead of v2 keyword-only flip. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Deprecation	Medium	Deprecate `evaluation_name` / `evaluator_version` attribute pattern, use explicit accessor methods instead. Deprecate `evaluation_name` / `evaluator_version` attribute pattern, use explicit accessor methods instead. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Bugfix	Medium	Ignore signatures on incomplete incoming thinking parts when using Vercel AI. Ignore signatures on incomplete incoming thinking parts when using Vercel AI. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—

Full changelog

What's Changed

🛡️ Security

Normalize IPv6 transition forms in URL validation by @DouweM in https://github.com/pydantic/pydantic-ai/pull/5528
- Security advisory: SSRF cloud-metadata blocklist bypass via IPv6-encoded address forms https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-cqp8-fcvh-x7r3
- This fix went out in yesterday's v1.99.0.
- You are affected only if your application explicitly opts a FileUrl into force_download='allow-local' on a URL that is, or could be, influenced by untrusted input.
- You are not affected if you use any of the bundled integrations to ingest user input: Agent.to_web / clai web; VercelAIAdapter; AGUIAdapter / Agent.to_ag_ui

🚀 Features

Support Bedrock native JSON output + strict tool calls by @shailendher in https://github.com/pydantic/pydantic-ai/pull/4237

🐛 Bug Fixes

Ignore signatures on incomplete incoming thinking parts when Vercel AI by @pydanty[bot] in https://github.com/pydantic/pydantic-ai/pull/5534

:new: V2 Preparation

Deprecate gateway/gemini: prefix in favor of gateway/google-cloud: by @dsfaccini in https://github.com/pydantic/pydantic-ai/pull/5543
Deprecate method-style StreamedResponse.usage(); raise on region-less Gateway API keys by @dsfaccini in https://github.com/pydantic/pydantic-ai/pull/5546
Deprecate positional construction of evals classes ahead of v2 kw-only flip by @dmontagu in https://github.com/pydantic/pydantic-ai/pull/5547
Deprecate evaluation_name / evaluator_version attribute pattern in favor of explicit accessor methods by @dmontagu in https://github.com/pydantic/pydantic-ai/pull/5554

New Contributors

@shailendher made their first contribution in https://github.com/pydantic/pydantic-ai/pull/4237

Full Changelog: https://github.com/pydantic/pydantic-ai/compare/v1.99.0...v1.100.0

Security Fixes

GHSA-cqp8-fcvh-x7r3 — Normalize IPv6 transition forms in URL validation to block SSRF cloud‑metadata bypass

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track pydantic-ai

Get notified when new releases ship.

About pydantic-ai

AI Agent Framework, the Pydantic way

All releases →

Related context

Related tools

Earlier breaking changes

v1.95.0 rename ‘built-in tools’ to ‘native tools’, deprecate old fields, register via capabilities=[NativeTool(...)]