Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN489
_____________________________________________________________________

DATE                : 01/08/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running bentoml (pip) versions
                                 prior to 1.4.19.

=====================================================================
https://github.com/advisories/GHSA-mrmq-3q62-6cc8
_____________________________________________________________________


BentoML SSRF Vulnerability in File Upload Processing
Critical severity GitHub Reviewed Published Jul 29, 2025 in
bentoml/BentoML • Updated Jul 30, 2025

Vulnerability details

Package
bentoml (pip)

Affected versions
>= 1.4.0, < 1.4.19

Patched versions
1.4.19


Description

Description

There's an SSRF in the file upload processing system that allows remote
attackers to make arbitrary HTTP requests from the server without
authentication. The vulnerability exists in the
serialization/deserialization handlers for multipart form data and
JSON requests, which automatically download files from user-provided
URLs without proper validation of internal network addresses.

The framework automatically registers any service endpoint with
file-type parameters (pathlib.Path, PIL.Image.Image) as vulnerable
to this attack, making it a framework-wide security issue that affects
most real-world ML services handling file uploads. While BentoML
implements basic URL scheme validation in the JSONSerde path, the
MultipartSerde path has no validation whatsoever, and neither path
restricts access to internal networks, cloud metadata endpoints, or
localhost services.

The documentation explicitly promotes this URL-based file upload
feature, making it an intended but insecure design that exposes all
deployed services to SSRF attacks by default.


Source - Sink Analysis

Source: User-controlled multipart form field values and JSON request
bodies containing URLs

Call Chain - Path 1 (MultipartSerde - No Validation):

    HTTP POST request with multipart form data to any BentoML endpoint
with file-type input parameters
    MultipartSerde.parse_request() in src/_bentoml_impl/serde.py:202
processes the request
    form = await request.form() parses multipart data using Starlette
    For file-type fields: value = [await self.ensure_file(v) for v in
form.getlist(k)] at line 209
    MultipartSerde.ensure_file() called at lines 186-200 with
user-controlled string URL
    Sink: resp = await client.get(obj) at line 193 - Direct HTTP
request with zero validation


Call Chain - Path 2 (JSONSerde - Weak Validation):

    HTTP POST request with JSON body containing URL to endpoint with
IORootModel + multipart_fields
    JSONSerde.parse_request() in src/_bentoml_impl/serde.py:157
processes the request
    body = await request.body() extracts request body
    Condition check: if issubclass(cls, IORootModel) and
cls.multipart_fields: at line 164
    Weak validation: if is_http_url(url := body.decode("utf-8", "ignore")):
at line 165 (only checks scheme)
    Sink: resp = await client.get(url) at line 168 - HTTP request
after insufficient validation


Proof of Concept

Create a BentoML service:

from pathlib import Path
import bentoml

@bentoml.service  
class ImageProcessor:
    @bentoml.api
    def process_image(self, image: Path) -> str:
        return f"Processed image: {image}"


Deploy and exploit:

# Start service (binds to 0.0.0.0:3000 by default)
bentoml serve service.py:ImageProcessor

# SSRF Attack 1 - Access AWS metadata  
curl -X POST http://target:3000/process_image \
     -F 'image=http://169.254.169.254/latest/meta-data/'

# SSRF Attack 2 - Internal service enumeration
curl -X POST http://target:3000/process_image \  
     -F 'image=http://localhost:8080/admin'

# SSRF Attack 3 - Internal network scanning
curl -X POST http://target:3000/process_image \
     -F 'image=http://10.0.0.1:22'

Expected result: Server makes HTTP requests to internal/cloud
endpoints, potentially returning sensitive data in error messages
or logs.


Impact

    Access AWS/GCP/Azure cloud metadata services for credential theft
    Enumerate and interact with internal HTTP services and APIs
    Bypass firewall restrictions to reach internal network resources
    Perform network reconnaissance from the server's perspective
    Retrieve sensitive information disclosed in HTTP response data
    Potential for internal service exploitation through crafted requests


Remediation

Implement comprehensive URL validation in both serialization paths
by adding network restriction checks to prevent access to
internal/private network ranges, localhost, and cloud metadata endpoints.
The existing is_http_url() function should be enhanced to include
allowlist validation rather than just scheme checking.


References

    GHSA-mrmq-3q62-6cc8
    bentoml/BentoML@534c358
    https://nvd.nist.gov/vuln/detail/CVE-2025-54381


Severity
Critical
9.9/ 10
CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

EPSS score
0.028% (6th percentile)

Weaknesses
Weakness CWE-918

CVE ID
CVE-2025-54381

GHSA ID
GHSA-mrmq-3q62-6cc8

Source code
bentoml/BentoML


Credits

    @geckosecurity geckosecurity Reporter
    @jjjutla jjjutla Finder
    @nkoorty nkoorty Finder

This advisory has been edited. See History.
See something to contribute? Suggest improvements for this vulnerability.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================