The short version: This week three libraries you may already run — the Vercel AI SDK, Pydantic AI, and CrewAI — each shipped a patch at the same seam: the boundary between untrusted input and tool execution. Vercel added defenses against an MCP server changing its tool definitions after you trust it. Pydantic fixed a flaw that let a client message smuggle an unresolved tool call back into execution. CrewAI cleared vulnerable dependencies in the same path. It reads like three unrelated changelogs. It's one story: the attack surface of an agent is the input that reaches its tools, not the model. Here's the upgrade math.
Vercel AI SDK 7.0.19: catch an MCP "rug pull"#
ai@7.0.19 (July 9) added two functions, fingerprintTools and detectToolDrift, aimed squarely at MCP tool-definition drift — the "rug pull," where a server serves benign tools while you're evaluating it, then quietly rewrites a tool's description or widens its input schema once you've connected. In the SDK's own words: "Pin a tool set's server-controlled fields (string description, input schema, title) at trust time with fingerprintTools, then diff later fetches with detectToolDrift to catch injected descriptions or widened schemas before passing tools to the model."
That's the whole mitigation: snapshot the tool contract when you trust it, and diff every later fetch. If you connect to any third-party MCP server, this is close to a free security upgrade, and it's the practical companion to what we've covered as poisoned tool descriptions and MCP rug-pulls. We wrote the hands-on version — how to detect a rug pull with these two functions — as a companion to this roundup.
Pydantic AI: a client message that dispatches your tools#
GHSA-jpr8-2v3g-wgf9 (moderate, CVSS 6.5) is subtler and, if it applies to you, more urgent. In Pydantic AI's UI adapters — AG-UI and Vercel AI — message sanitization had a flaw: when a trailing client message was dropped during sanitization, a preceding assistant response carrying an unresolved tool call became the new tail and was left unchecked, so the agent could dispatch it. Translation: a remote client could get a registered tool executed with its own arguments rather than the model's.
The advisory is honest that this is a defense-in-depth bypass, not a total boundary break — arguments are still schema-validated, and tools should enforce their own authorization. But the fix is cheap and the exposure is real: affected versions are pydantic-ai >=2.0.0b1,<2.5.0 and >=1.88.0,<1.107.1, fixed in 2.5.0 and 1.107.1. If you serve a Pydantic AI agent through AG-UI or the Vercel adapter, upgrade this week and, while you're there, put real authorization in your before_tool_execute hooks rather than trusting the message stream.
CrewAI 1.15.2: the boring, necessary one#
CrewAI 1.15.2 (July 8) is the least dramatic of the three: it resolves pip-audit failures for onnx 1.22.0 and nltk (PYSEC-2026-597), bundled with flow-authoring features — dynamic model pulling in the crew wizard, inline skill definitions, templated flow inputs, and a stream-frame protocol for flows. No headline framework flaw here, just dependency hygiene. But it belongs in the same story: the vulnerable packages sit in the same request path that ends at a tool call, and "our deps had a CVE" is how a lot of agent compromises actually start.
The pattern worth internalizing#
Read the three together and the lesson is architectural, not incidental. Every one of these fixes lives at the point where something you didn't generate — a tool description from an MCP server, a message from a browser client, a transitive dependency — reaches something that acts — a tool call. That seam is the agent security boundary now, and it's moving outward as agents wire up to more servers, adapters, and UIs. The model is not where you'll get owned. The input to your tools is.
Practical takeaway for this week: bump the Vercel AI SDK and turn on tool fingerprinting if you touch third-party MCP; upgrade Pydantic AI to ≥2.5.0 (or ≥1.107.1) if you use its UI adapters; and run pip-audit on your CrewAI deps. Three small PRs, one real reduction in blast radius. For the bigger picture on why the guardrails — not the horsepower — are what shipped in coding tools this summer, see coding agents shipped guardrails, not horsepower.



