What's Changed
🛡️ Security
This release patches GHSA-jpr8-2v3g-wgf9 (moderate, CWE-863) on the v1 line. On the AG-UI serving path (Agent.to_ag_ui() / AGUIAdapter), UIAdapter.sanitize_messages anchored its dangling-tool-call strip to an index computed before sanitization. When a trailing client message was dropped during sanitization (for example a client system message under the default manage_system_prompt='server'), a preceding assistant response carrying an unresolved tool call could be re-exposed as the new tail and executed with client-chosen arguments.
- Affected:
pydantic-ai/pydantic-ai-slim>= 1.88.0, < 1.107.1(v1) and>= 2.0.0, < 2.5.0(v2) - Patched:
1.107.1(v1) and2.5.0(v2) - Not affected if every sensitive tool uses
requires_approval=True/ApprovalRequiredToolset, or if your tool handlers validate their arguments and enforce authorization themselves.
See the advisory for details and workarounds.
🐛 Bug Fixes
- Fix
sanitize_messagestail handling when a trailing client message is dropped by @dsfaccini in #6407
Full Changelog: v1.107.0...v1.107.1