CVE-2025-54381: BentoML SSRF Vulnerability Exposes AI Model Serving Systems

BentoML, a popular Python library for building AI-powered serving systems, is affected by a critical Server-Side Request Forgery (SSRF) vulnerability. This flaw could allow attackers to force a BentoML server to make arbitrary HTTP requests, potentially exposing sensitive internal resources. Let's dive into the details and how to protect your systems.

Vulnerability Details

• CVE ID: CVE-2025-54381
• Description: BentoML versions 1.4.0 through 1.4.18 are vulnerable to Server-Side Request Forgery (SSRF). The file upload processing system allows unauthenticated remote attackers to force the server to make arbitrary HTTP requests. This is due to the multipart form data and JSON request handlers automatically downloading files from user-provided URLs without proper validation.
• CVSS Score: 9.9 (Critical)
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
• CVSS Explanation:
  • AV:N (Network): The vulnerability is exploitable over the network.
  • AC:L (Low): The attack does not require unusual conditions.
  • PR:N (None): No privileges are required to exploit the vulnerability.
  • UI:N (None): No user interaction is required.
  • S:C (Changed): The vulnerability can affect resources beyond the security scope managed by the security authority.
  • C:H (High): There is a high impact on confidentiality. An attacker could access sensitive information.
  • I:L (Low): There is a limited impact on integrity. An attacker could modify some data.
  • A:L (Low): There is a limited impact on availability. An attacker could cause some service disruption.
• Exploit Requirements: An attacker needs to send a crafted HTTP request to a BentoML server that includes a malicious URL for file upload.
• Affected Vendor: BentoML
• Affected Product: BentoML
• Affected Versions: 1.4.0 - 1.4.18
• CWE: CWE-918 (Server-Side Request Forgery (SSRF))
• CWE Explanation: Server-Side Request Forgery (SSRF) occurs when an attacker can cause a web server to make HTTP requests to an arbitrary domain of the attacker's choosing. This can allow the attacker to scan internal networks, access cloud metadata, or potentially achieve remote code execution depending on the services running on the internal network.

Timeline of Events

• 2025-07-29: Vulnerability publicly disclosed.
• 2025-07-29: Patch released in BentoML version 1.4.19.

Exploitability & Real-World Risk

This SSRF vulnerability is highly exploitable, as it requires no authentication and can be triggered with a simple HTTP request. In real-world scenarios, this could allow attackers to:

• Scan internal networks for other vulnerable services.
• Access sensitive cloud metadata (e.g., AWS IAM roles).
• Potentially gain unauthorized access to internal APIs or databases.
• Launch denial-of-service attacks against internal resources.

Given BentoML's usage in AI model serving, a successful SSRF attack could have severe consequences, potentially leaking sensitive model data or disrupting critical AI-powered services.

Recommendations

The most important step is to upgrade to BentoML version 1.4.19 or later. This version contains a patch that mitigates the SSRF vulnerability. Additionally, consider the following security best practices:

• Implement network segmentation to limit the impact of a successful SSRF attack.
• Monitor network traffic for suspicious outbound connections.
• Review your BentoML configuration and ensure that only authorized users can access sensitive resources.

Technical Insight

The vulnerability lies in how BentoML handles file uploads from URLs. The application blindly trusts user-provided URLs, which allows an attacker to specify internal resources (e.g., http://127.0.0.1/admin) or cloud metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/). By exploiting this trust, an attacker can effectively turn the BentoML server into a proxy, allowing them to access resources that would otherwise be inaccessible.

Credit to Researcher(s)

This vulnerability was reported via GitHub Security Advisory.

References

• BentoML Patch Commit
• GitHub Security Advisory
• GHSA-mrmq-3q62-6cc8

Tags

#BentoML #SSRF #CVE-2025-54381 #AIML #Security #Python #Vulnerability

Summary: A critical Server-Side Request Forgery (SSRF) vulnerability exists in BentoML versions 1.4.0 through 1.4.18, allowing unauthenticated remote attackers to force the server to make arbitrary HTTP requests. Upgrade to version 1.4.19 or later to mitigate the risk.

CVE ID: CVE-2025-54381

Risk Analysis: Successful exploitation of this vulnerability can lead to information disclosure, access to internal services, and potentially remote code execution, depending on the resources accessible through the internal network.

Recommendation: Upgrade to BentoML version 1.4.19 or later to address the SSRF vulnerability. Implement network segmentation and monitor network traffic for suspicious outbound connections.

Timeline

• 2025-07-29: Vulnerability publicly disclosed and patch released.

References

• https://github.com/bentoml/BentoML/commit/534c3584621da4ab954bdc3d814cc66b95ae5fb8
• https://github.com/bentoml/BentoML/security/advisories/GHSA-mrmq-3q62-6cc8
• https://github.com/bentoml/BentoML/security/advisories/GHSA-mrmq-3q62-6cc8