CVE-2025-54381 Overview
CVE-2025-54381 is a critical Server-Side Request Forgery (SSRF) vulnerability affecting BentoML, a popular Python library for building online serving systems optimized for AI applications and model inference. The vulnerability exists in the file upload processing system, allowing unauthenticated remote attackers to force the server to make arbitrary HTTP requests to internal network resources, cloud metadata endpoints, or other restricted services.
The vulnerability stems from the multipart form data and JSON request handlers, which automatically download files from user-provided URLs without validating whether those URLs point to internal network addresses or other restricted resources. This is particularly concerning as the URL-based file upload feature is explicitly promoted in BentoML's documentation, making it an intended design that exposes all deployed AI services to SSRF attacks by default.
Critical Impact
Unauthenticated attackers can exploit this SSRF vulnerability to access internal network resources, cloud metadata services (AWS IMDSv1, GCP metadata, Azure IMDS), and other protected endpoints from any BentoML deployment running versions 1.4.0 through 1.4.18.
Affected Products
- BentoML versions 1.4.0 through 1.4.18
- All BentoML deployments with default configurations exposing HTTP endpoints
- AI/ML serving platforms built on vulnerable BentoML versions
Discovery Timeline
- 2025-07-29 - CVE-2025-54381 published to NVD
- 2025-08-05 - Last updated in NVD database
Technical Details for CVE-2025-54381
Vulnerability Analysis
This SSRF vulnerability (CWE-918: Server-Side Request Forgery) exists in BentoML's request serialization and deserialization layer. The file upload processing system accepts URLs from user input and automatically fetches content from those URLs server-side without proper validation. This design pattern, while convenient for legitimate use cases, creates a significant security exposure when deployed in production environments.
The vulnerability is particularly dangerous in cloud environments where instance metadata services are accessible via well-known internal URLs. An attacker can craft malicious requests to access AWS credentials via http://169.254.169.254/latest/meta-data/, GCP service account tokens, Azure managed identity credentials, or internal corporate resources that the BentoML server can reach.
Root Cause
The root cause lies in the serde.py module's request handling logic, which processes multipart form data and JSON requests containing file URLs. The original implementation used the is_http_url() utility function to validate URLs but did not include checks to prevent access to internal IP ranges, localhost addresses, or cloud metadata endpoints.
The security patch introduces a new is_safe_url() function that performs comprehensive URL validation, including:
- Resolution of hostnames to IP addresses using the socket module
- Validation against private IP ranges using the ipaddress module
- Blocking of localhost, link-local, and other restricted address spaces
Attack Vector
An attacker can exploit this vulnerability by sending HTTP requests to a BentoML endpoint with malicious URLs embedded in the request body. The server-side code will fetch content from these URLs, potentially exposing sensitive internal data or enabling further attacks against internal infrastructure.
# Security patch in src/_bentoml_impl/serde.py - adding is_safe_url validation
from _bentoml_sdk.validators import DataframeSchema
from _bentoml_sdk.validators import TensorSchema
from bentoml._internal.utils.uri import is_http_url
+from bentoml._internal.utils.uri import is_safe_url
if t.TYPE_CHECKING:
from starlette.requests import Request
Source: GitHub Commit Details
# Security patch in src/bentoml/_internal/utils/uri.py - adding IP validation capabilities
+import ipaddress
import os
import pathlib
+import socket
from urllib.parse import quote
from urllib.parse import unquote
from urllib.parse import urlparse
Source: GitHub Commit Details
Detection Methods for CVE-2025-54381
Indicators of Compromise
- Outbound HTTP requests from BentoML servers to internal IP ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
- Access attempts to cloud metadata endpoints (169.254.169.254, 169.254.170.2)
- Unusual file upload requests containing URLs pointing to internal resources
- Server-side requests to localhost or loopback addresses (127.0.0.1, ::1)
Detection Strategies
- Monitor network traffic from BentoML servers for connections to RFC 1918 private IP ranges
- Implement web application firewall rules to detect SSRF payloads in request bodies
- Configure cloud provider VPC flow logs to identify unauthorized metadata service access
- Deploy intrusion detection rules for common SSRF URL patterns in HTTP request payloads
Monitoring Recommendations
- Enable detailed access logging on BentoML services to capture full request bodies
- Configure alerts for any outbound connections from ML serving infrastructure to metadata endpoints
- Implement egress filtering and monitor for policy violations from BentoML deployments
- Review cloud provider security logs for unexpected instance metadata service access patterns
How to Mitigate CVE-2025-54381
Immediate Actions Required
- Upgrade all BentoML installations to version 1.4.19 or later immediately
- Audit existing BentoML deployments for signs of exploitation in server logs
- Implement network-level controls to restrict outbound access from ML serving infrastructure
- Review and revoke any cloud credentials that may have been exposed through metadata service access
Patch Information
BentoML has released version 1.4.19 which contains a comprehensive fix for this SSRF vulnerability. The patch introduces the is_safe_url() function that validates URLs before fetching content, blocking requests to private IP ranges, localhost, and other restricted addresses.
The security fix can be reviewed in the GitHub commit and the complete security advisory is available at the GitHub Security Advisory.
Workarounds
- Deploy a reverse proxy or web application firewall in front of BentoML services to filter SSRF payloads
- Implement network segmentation to prevent ML serving infrastructure from accessing sensitive internal resources
- Use cloud metadata service hardening (AWS IMDSv2, Azure IMDS restrictions) to limit credential exposure
- Configure egress firewall rules to block outbound connections to private IP ranges from BentoML servers
# Configuration example - Network egress restrictions using iptables
# Block outbound connections to private IP ranges from BentoML server
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -d 127.0.0.0/8 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
