CVE-2025-54381
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in BentoML's file upload system. Unauthenticated attackers can force the server to make arbitrary HTTP requests to internal networks, cloud metadata endpoints, or other restricted resources. All BentoML deployments using versions 1.4.0 through 1.4.18 with the URL-based file upload feature are affected.
💻 Affected Systems
- BentoML
📦 What is this software?
Bentoml by Bentoml
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive internal services, cloud metadata (potentially obtaining credentials), perform port scanning of internal networks, or chain with other vulnerabilities to achieve remote code execution.
Likely Case
Information disclosure from internal services, cloud metadata exposure, and potential lateral movement within internal networks.
If Mitigated
Limited to external resource access only, with no internal network exposure.
🎯 Exploit Status
The vulnerability requires no authentication and exploitation is straightforward via crafted HTTP requests with malicious URLs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.19
Vendor Advisory: https://github.com/bentoml/BentoML/security/advisories/GHSA-mrmq-3q62-6cc8
Restart Required: Yes
Instructions:
1. Update BentoML to version 1.4.19 or later using pip: pip install --upgrade bentoml>=1.4.19
2. Restart all BentoML services
3. Verify the fix by testing URL-based file upload functionality
🔧 Temporary Workarounds
Disable URL-based file uploads
allDisable the vulnerable feature by modifying BentoML configuration to reject URL-based file uploads
Modify BentoML configuration to set allow_url_uploads: false in service configuration
Network segmentation
allRestrict BentoML server's outbound network access to prevent SSRF attacks
Configure firewall rules to block BentoML server from accessing internal networks and cloud metadata endpoints
🧯 If You Can't Patch
- Implement strict network segmentation to isolate BentoML servers from internal networks and cloud metadata services
- Deploy a web application firewall (WAF) with SSRF protection rules to filter malicious requests
🔍 How to Verify
Check if Vulnerable:
Check if BentoML version is between 1.4.0 and 1.4.18 inclusive, and test if URL-based file uploads are enabled and can access internal resourcesCheck Version:
python -c "import bentoml; print(bentoml.__version__)"Verify Fix Applied:
After updating to 1.4.19+, test that URL-based file uploads to internal addresses (like 127.0.0.1, 169.254.169.254) are rejected📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from BentoML server to internal IP addresses
- Requests to cloud metadata endpoints (169.254.169.254, 100.100.100.200)
- Multiple failed file upload attempts with URL patterns
Network Indicators:
- BentoML server making HTTP requests to internal network segments
- Requests to restricted cloud endpoints from application servers
SIEM Query:
source="bentoml" AND (url="*://169.254.169.254*" OR url="*://127.*" OR url="*://10.*" OR url="*://192.168.*" OR url="*://172.16.*")