CVE-2025-25297
Published: 14 February 2025
Summary
CVE-2025-25297 is a high-severity SSRF (CWE-918) vulnerability in Humansignal Label Studio. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Remote System Discovery (T1018); ranked at the 16.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2025-25297 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting Label Studio, an open-source data labeling tool, in versions prior to 1.16.0. The issue resides in the S3 storage integration feature, specifically the endpoint configuration. When creating an S3 storage connection, users can specify a custom S3 endpoint URL via the s3_endpoint parameter, which is passed directly to the boto3 AWS SDK without validation of the protocol or destination. This allows arbitrary HTTP requests to internal services when the storage sync operation is triggered.
Unauthenticated remote attackers (AV:N/AC:L/PR:N/UI:N) can exploit this vulnerability over the network with low complexity and no user interaction. By setting the s3_endpoint to target internal services, attackers cause the application to issue S3 API calls to those endpoints during sync operations. The responses from these requests appear in error messages, including full response bodies, enabling attackers to bypass network segmentation, access otherwise isolated internal services, and exfiltrate sensitive data. The vulnerability has a CVSS v3.1 base score of 8.6, with high confidentiality impact and changed scope (S:C/C:H/I:N/A:N).
The patch is available in Label Studio version 1.16.0. Official advisories and the fixing commit are documented on GitHub at https://github.com/HumanSignal/label-studio/security/advisories/GHSA-m238-fmcw-wh58 and https://github.com/HumanSignal/label-studio/commit/06a2b29c1208e1878ccae66e6b84c8b24598fa79.
Label Studio's role as a data labeling tool gives this vulnerability relevance to AI/ML workflows, where it may be deployed to annotate datasets for model training. No public information on real-world exploitation is available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4107
Vulnerability details
Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's S3 storage integration feature contains a Server-Side Request Forgery (SSRF) vulnerability in its endpoint configuration. When creating an S3 storage connection, the application allows users…
more
to specify a custom S3 endpoint URL via the s3_endpoint parameter. This endpoint URL is passed directly to the boto3 AWS SDK without proper validation or restrictions on the protocol or destination. The vulnerability allows an attacker to make the application send HTTP requests to arbitrary internal services by specifying them as the S3 endpoint. When the storage sync operation is triggered, the application attempts to make S3 API calls to the specified endpoint, effectively making HTTP requests to the target service and returning the response in error messages. This SSRF vulnerability enables attackers to bypass network segmentation and access internal services that should not be accessible from the external network. The vulnerability is particularly severe because error messages from failed requests contain the full response body, allowing data exfiltration from internal services. Version 1.16.0 contains a patch for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF via unvalidated S3 endpoint allows direct internal HTTP requests, enabling remote system discovery (T1018), network service discovery (T1046), system information discovery from responses (T1082), access to data on local/internal systems (T1005), and exfiltration of sensitive data through error message responses (T1041).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates the s3_endpoint parameter to ensure only legitimate S3 endpoints are accepted, directly preventing SSRF exploitation via arbitrary internal service targeting.
Monitors and controls outbound communications at system boundaries to block or detect application requests to unauthorized internal services.
Handles errors from failed S3 API calls without disclosing full response bodies from internal services, mitigating data exfiltration.