vercel/ai [email protected]

Vercel's AI SDK Patch Fixes Critical Tool Approval Security Flaw

Vercel has released a security patch for its popular AI SDK that addresses a significant vulnerability in how tool approvals are validated during execution. The flaw could allow attackers to forge messages and execute tools with unauthorized arguments, potentially compromising applications that rely on the framework's approval mechanisms.

TL;DR

• Tool approval replay vulnerability: The SDK's text generation functions were accepting pre-approved tool calls from client messages without re-validating them, creating a security gap
• Attack vector: Malicious actors could forge assistant messages containing tool-call approvals and execute tools with attacker-chosen parameters
• The fix: The patch implements HMAC signature verification, re-validates tool inputs against schemas, and re-checks approval requirements before execution
• Impact: Developers using generateText or streamText with the approval feature should update immediately to close the authentication bypass

Background

Tool approval in AI applications represents a critical safety feature. When AI systems have access to external tools—APIs, database operations, or other integrations—operators often need human or application-level approval before those tools execute. This prevents unintended or malicious operations from running unchecked.

Vercel's AI SDK implements this through an experimental_toolApprovalSecret configuration that allows applications to control which tool calls require explicit approval before execution. The framework can reconstruct tool calls from conversation history to replay approved operations without requiring the AI model to re-generate them.

However, this replay mechanism introduced an unexpected vulnerability. The system trusted that if a tool call appeared in the message history as an approved operation, it was legitimate—without performing adequate verification of that approval's authenticity or the tool call's validity.

How it works

The Vulnerability: Approval Replay Without Re-validation

When using generateText or streamText functions with tool approval enabled, the SDK would reconstruct tool calls from the client-supplied message array. If it found what appeared to be a previously approved tool call in the conversation history, it would execute that tool without additional security checks.

This created a critical gap: an attacker could craft a fraudulent assistant message containing a tool-call part that never actually underwent approval. They could inject arbitrary arguments into the tool call, potentially triggering unintended operations. The server would execute the forged call because it assumed anything in the client's message history had already been legitimately approved.

The attack required no cryptographic key, no special knowledge of the approval system—just the ability to modify message history and inject a believable tool call object.

The Fix: Layered Re-validation

The patch implements a three-tier validation approach before tool execution:

HMAC Signature Verification: When an experimental_toolApprovalSecret is configured, the SDK now verifies the cryptographic signature of the tool approval. This ensures that only approvals actually generated by the application (which holds the secret key) are accepted. Forged messages fail this check immediately.

Schema Re-validation: Before executing any replayed tool call, the SDK re-validates the tool's input arguments against the tool's defined schema. Even if an approval appeared legitimate, if the arguments don't match what the tool expects, execution is blocked. This prevents attackers from injecting malformed or unexpected data.

Approval Status Re-check: The system re-resolves whether the tool actually requires approval in its current configuration. This ensures that tools with changed approval requirements aren't inadvertently executed under old assumptions.

Together, these checks mean that even if an attacker successfully forges an approval message, the validation process will detect the fraud or schema violation and prevent execution.

What this means for practitioners

For developers using Vercel's AI SDK, particularly those implementing tool-calling features with approval workflows, this patch closes a significant security hole. Applications already using experimental_toolApprovalSecret were vulnerable to this attack vector.

The vulnerability is particularly concerning for applications handling sensitive operations—financial transactions, data modifications, system administration tasks, or any tool integration where unauthorized execution could cause harm. Even relatively protected applications could be compromised if an attacker gains the ability to modify messages in the conversation history.

The patch is delivered as a point release (6.0.202) along with updated provider utilities and gateway dependencies, indicating this was prioritized as a security fix rather than a feature release.

What happens next

Teams using the AI SDK should prioritize updating to version 6.0.202 or later. The patch is backward compatible and doesn't require code changes—it simply tightens validation that should have been in place from the start.

For those implementing tool approval workflows, this fix reinforces an important principle: never trust client-supplied data, even when it appears to carry authorization markers. Server-side re-validation of cryptographic signatures and schema constraints is essential whenever security decisions depend on user-provided input.

Organizations can review their application logs to determine if any suspicious tool calls executed with forged approvals before the patch was applied, though detecting such attacks may be difficult without detailed audit trails of approval decisions. This article does not contain affiliate links.