Pydantic AnyUrl claims to require a host, but doesn't (Fix)

The Fix

pip install pydantic==1.10.19

Based on closed pydantic/pydantic issue #10684 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Jump to Verify Open PR/Commit

@@ -5,7 +5,7 @@
 strategy = ["inherit_metadata"]
 lock_version = "4.5.0"
-content_hash = "sha256:65c1ddf4e0d8613d976f043e92a309a87d133d3424f27e8cab7907f19889efa7"
+content_hash = "sha256:0fa988af1e0b9ae6e18b2a31a32d54aba8db98db5a9428207aa897831e836b82"

repro.py

>> import pydantic.v1
>> pydantic.v1.parse_obj_as(pydantic.v1.AnyUrl, "file:///etc/passwd")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3/dist-packages/pydantic/v1/tools.py", line 38, in parse_obj_as
    return model_type(__root__=obj).__root__
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/pydantic/v1/main.py", line 341, in __init__
    raise validation_error
pydantic.v1.error_wrappers.ValidationError: 1 validation error for ParsingModel[AnyUrl]
__root__
  URL host invalid (type=value_error.url.host)

verify

Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

fix.md

Option A — Upgrade to fixed release\npip install pydantic==1.10.19\nWhen NOT to use: Do not use this fix if host validation is critical for your application.\n\n

Why This Fix Works in Production

Trigger: >> import pydantic.v1
Mechanism: The AnyUrl type incorrectly allows URLs without a host for certain schemes
Why the fix works: upstream changes in 1.10.19 address the mechanism above.

Production impact:

If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

The AnyUrl type incorrectly allows URLs without a host for certain schemes
Surfaces as: >> import pydantic.v1

Proof / Evidence

GitHub issue: #10684
Fix PR: https://github.com/pydantic/pydantic/pull/10662
First fixed release: 1.10.19
Reproduced locally: No (not executed)
Last verified: 2026-02-09
Confidence: 0.70
Did this fix it?: Yes (upstream fix exists)
Own content ratio: 0.34

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub

“Yep, looks like a bug, working on a fix now. Thanks!”

@sydney-runkle · 2024-10-23 · source

Failure Signature (Search String)

>> import pydantic.v1

Error Message

Stack trace

error.txt

Error Message
-------------
>> import pydantic.v1
>> pydantic.v1.parse_obj_as(pydantic.v1.AnyUrl, "file:///etc/passwd")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3/dist-packages/pydantic/v1/tools.py", line 38, in parse_obj_as
    return model_type(__root__=obj).__root__
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/pydantic/v1/main.py", line 341, in __init__
    raise validation_error
pydantic.v1.error_wrappers.ValidationError: 1 validation error for ParsingModel[AnyUrl]
__root__
  URL host invalid (type=value_error.url.host)

Minimal Reproduction

repro.py

>> import pydantic.v1
>> pydantic.v1.parse_obj_as(pydantic.v1.AnyUrl, "file:///etc/passwd")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3/dist-packages/pydantic/v1/tools.py", line 38, in parse_obj_as
    return model_type(__root__=obj).__root__
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/pydantic/v1/main.py", line 341, in __init__
    raise validation_error
pydantic.v1.error_wrappers.ValidationError: 1 validation error for ParsingModel[AnyUrl]
__root__
  URL host invalid (type=value_error.url.host)

Environment

Pydantic: 2

What Broke

Unexpected acceptance of file URLs led to potential security concerns.

Why It Broke

The AnyUrl type incorrectly allows URLs without a host for certain schemes

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install pydantic==1.10.19

When NOT to use: Do not use this fix if host validation is critical for your application.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/pydantic/pydantic/pull/10662

First fixed release: 1.10.19

Last verified: 2026-02-09. Validate in your environment.

When NOT to Use This Fix

Do not use this fix if host validation is critical for your application.

Verify Fix

verify

Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
Upgrade behind a canary and run integration tests against the canary before 100% rollout.

Version Compatibility Table

Version	Status
1.10.19	Fixed

Related Issues

No related fixes found.

Cluster: pydantic:configuration-error Pydantic hub Pydantic best practices All hubs All clusters

Related clusters: Data consistency OpenAPI schema Serialization

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.