CVE-2025-54381

Name of the Vulnerable Software and Affected Versions BentoML versions 1.4.0 through 1.4.19

Description BentoML contains a Server-Side Request Forgery (SSRF) issue in the file upload processing system. This allows unauthenticated remote attackers to force the server to make arbitrary HTTP requests. The vulnerability stems from the multipart form data and JSON request handlers, which automatically download files from user-provided URLs without validating whether those URLs point to internal network addresses, cloud metadata endpoints, or other restricted resources. The documentation explicitly promotes this URL-based file upload feature, making it an intended design that exposes all deployed services to SSRF attacks by default. The vulnerability exists in the serialization/deserialization handlers, specifically in MultipartSerde.parse request() and JSONSerde.parse request(). The MultipartSerde path lacks validation, while the JSONSerde path has weak validation, only checking the URL scheme.

API Endpoints: Any BentoML endpoint with file-type input parameters. Vulnerable Parameters or Variables: image (in the proof of concept), user-controlled URLs in multipart form fields and JSON request bodies. Function Names: MultipartSerde.parse request(), MultipartSerde.ensure file(), JSONSerde.parse request().

Recommendations Update to BentoML version 1.4.19 or later. Implement comprehensive URL validation in both serialization paths. Add network restriction checks to prevent access to internal/private network ranges, localhost, and cloud metadata endpoints. Enhance the is http url() function to include allowlist validation instead of just scheme checking.