CVE-2025-25297
📋 TL;DR
Label Studio versions before 1.16.0 contain a Server-Side Request Forgery (SSRF) vulnerability in the S3 storage integration feature. Attackers can exploit this by specifying arbitrary internal service URLs as S3 endpoints, allowing them to bypass network segmentation and access internal services. This affects all deployments using the S3 storage feature with unpatched versions.
💻 Affected Systems
- Label Studio
📦 What is this software?
Label Studio by Humansignal
⚠️ Risk & Real-World Impact
Worst Case
Complete internal network reconnaissance and data exfiltration from sensitive internal services, potentially including credentials, configuration data, or proprietary information.
Likely Case
Internal service enumeration and limited data exfiltration from misconfigured or vulnerable internal services accessible to the Label Studio server.
If Mitigated
Limited impact due to network segmentation, but still potential for internal service discovery and limited data leakage.
🎯 Exploit Status
Exploitation requires authenticated access to configure S3 storage connections. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.16.0
Vendor Advisory: https://github.com/HumanSignal/label-studio/security/advisories/GHSA-m238-fmcw-wh58
Restart Required: No
Instructions:
1. Update Label Studio to version 1.16.0 or later using pip: 'pip install label-studio>=1.16.0' 2. Verify the update completed successfully 3. No restart required for the patch itself
🔧 Temporary Workarounds
Disable S3 Storage Feature
allTemporarily disable the S3 storage integration feature if not required for operations
Configure Label Studio to use local storage only or disable S3 storage configuration in admin interface
Restrict S3 Endpoint Configuration
allImplement input validation to restrict S3 endpoint URLs to known AWS endpoints only
Implement custom validation in S3 configuration to only allow *.amazonaws.com domains
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Label Studio from sensitive internal services
- Deploy web application firewall (WAF) rules to detect and block SSRF attempts
🔍 How to Verify
Check if Vulnerable:
Check Label Studio version: if version < 1.16.0 and S3 storage feature is enabled, the system is vulnerableCheck Version:
python -c "import label_studio; print(label_studio.__version__)"Verify Fix Applied:
Verify version is 1.16.0 or higher and test S3 endpoint configuration with non-AWS URLs to ensure they are rejected📡 Detection & Monitoring
Log Indicators:
- Unusual S3 endpoint URLs in configuration logs
- HTTP requests to internal IP addresses from Label Studio process
- Error messages containing response data from non-S3 services
Network Indicators:
- Outbound HTTP requests from Label Studio to internal network segments
- Traffic to non-standard ports from Label Studio process
SIEM Query:
source="label-studio" AND (url="*://10.*" OR url="*://192.168.*" OR url="*://172.16.*")