vercel/ai [email protected]

Vercel AI SDK 6.0.202: Critical Security Patch for Tool Approval System

Vercel has released version 6.0.202 of its AI SDK with an important security fix addressing a vulnerability in how the framework validates tool execution requests. The patch closes a potential attack vector where clients could manipulate message history to execute tools with unauthorized arguments, bypassing the approval system entirely.

TL;DR

• Tool approval bypass vulnerability: The previous implementation allowed attackers to forge approval states in client-supplied messages, enabling unauthorized tool execution with arbitrary parameters
• HMAC signature verification: The patched version now validates cryptographic signatures when an approval secret is configured, preventing message tampering
• Schema re-validation: Tool inputs are now re-checked against their defined schemas during replay, not just during initial processing
• Impact: Teams using the AI SDK's tool approval system should update immediately to prevent potential unauthorized API calls or data manipulation through AI agents

Background

The Vercel AI SDK provides developers with abstractions for building AI applications, including support for tool use—allowing language models to call external functions and APIs. For sensitive operations, the framework offers an approval system where tools can be configured to require explicit human authorization before execution.

This approval mechanism is critical for production applications where an AI model might attempt to execute actions like transferring funds, modifying databases, or accessing protected resources. The approval system acts as a safety gate, intercepting tool calls and requiring verification before proceeding.

However, the vulnerability discovered in version 6.0.201 and earlier undermined this security model. The generateText and streamText functions—core utilities for running AI inference with tool calling—contained a flaw in how they handled the "approval replay" path. This path processes tool calls that were previously approved and are being re-executed from conversation history.

How it works

The Vulnerability: Approval Replay Without Validation

When AI applications maintain conversation history (storing both user messages and assistant responses), they need to efficiently re-execute previously approved tool calls without re-processing the entire conversation with the AI model. This is where the approval replay mechanism comes in.

The vulnerable implementation extracted tool calls from client-supplied message arrays and executed them directly if they appeared to be pre-approved. However, it skipped three critical validation steps: checking the HMAC signature protecting the approval state, re-validating the tool's input against its schema constraints, and re-verifying that the tool actually requires approval.

An attacker could exploit this by crafting a malicious message containing a tool-call part marked as approved, but with parameters completely different from what was originally approved. For example, if a tool for "transfer funds" was approved with a $100 limit, an attacker could inject a forged approved call requesting a $10,000 transfer. The replay mechanism would execute it without question.

The Fix: Multi-Layer Validation

The patch implements a comprehensive three-layer validation approach for the approval replay path.

Layer one: cryptographic verification. When developers configure an experimental_toolApprovalSecret, the system now verifies the HMAC signature protecting each tool-call approval state. HMAC (Hash-based Message Authentication Code) ensures that the approval metadata hasn't been tampered with after being created by the server. If the signature doesn't match, the tool call is rejected outright.

Layer two: schema validation. The patched version re-validates all tool-call input against the tool's input schema before execution. This ensures that even if an approval was legitimate, the parameters supplied match what the tool definition expects. Tools often define constraints like data type requirements, maximum string lengths, or valid enum values. Re-validating against these schemas catches injected or modified parameters.

Layer three: approval requirement check. The system re-resolves whether the tool actually requires approval in the current context. Tool approval requirements can be dynamic or conditional. Re-checking this requirement prevents scenarios where a tool's configuration has changed since approval was granted, or where approval rules have been updated.

Together, these layers mean that replayed tool calls undergo nearly the same scrutiny as freshly processed ones, without requiring a full round-trip with the AI model.

Dependencies Updated

The security fix cascades to related packages: @ai-sdk/provider-utils (now 4.0.28) and @ai-sdk/gateway (now 3.0.128) have been updated with corresponding changes to support the enhanced validation logic.

What happens next

Development teams currently using Vercel's AI SDK, particularly those implementing tool approval systems for sensitive operations, should prioritize upgrading to version 6.0.202. If you're managing AI agent applications that make external function calls—especially for financial transactions, data modifications, or other high-risk operations—this patch directly addresses a critical security gap.

For applications already in production, review your tool definitions to ensure they're configured with experimental_toolApprovalSecret enabled. This configuration activates the HMAC signature validation that prevents the most straightforward attack vector.

The vulnerability highlights an important principle in AI application security: never trust client-supplied state about approval or authorization. Always re-validate and re-verify on the server side, even when processing messages that appear to come from your own application history. This article does not contain affiliate links.