CVE-2025-54381
Published: 29 July 2025
Summary
CVE-2025-54381 is a critical-severity SSRF (CWE-918) vulnerability in Bentoml Bentoml. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked in the top 19.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
BentoML is a Python library used to build online serving systems for AI applications and model inference. CVE-2025-54381 is a server-side request forgery vulnerability present in versions 1.4.0 through 1.4.19. It resides in the multipart form data and JSON request handlers that process file uploads; these handlers automatically fetch content from URLs supplied by clients without checking whether the destinations are internal network addresses, cloud metadata services, or other restricted endpoints. The library's documentation explicitly encourages this URL-based upload pattern, leaving all default deployments exposed.
Unauthenticated remote attackers can exploit the flaw simply by submitting crafted upload requests containing arbitrary URLs. Successful exploitation allows the BentoML server to be coerced into issuing HTTP requests to internal or otherwise inaccessible resources, potentially disclosing sensitive data or interacting with cloud instance metadata.
The GitHub Security Advisory GHSA-mrmq-3q62-6cc8 and the associated commit 534c3584621da4ab954bdc3d814cc66b95ae5fb8 state that the issue is resolved in version 1.4.19. Administrators should upgrade immediately and review any custom URL-handling logic that may remain after the patch.
The vulnerability affects an AI/ML serving framework, but the EPSS score has remained flat at 0.0131 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23049
Vulnerability details
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.0 until 1.4.19, the file upload processing system contains an SSRF vulnerability that allows unauthenticated remote attackers to force the server…
more
to make arbitrary HTTP requests. The vulnerability stems from the multipart form data and JSON request handlers, which automatically download files from user-provided URLs without validating whether those URLs point to internal network addresses, cloud metadata endpoints, or other restricted resources. The documentation explicitly promotes this URL-based file upload feature, making it an intended design that exposes all deployed services to SSRF attacks by default. Version 1.4.19 contains a patch for the issue.
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, bentoml
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability enables exploitation of public-facing application (T1190), internal network service discovery via arbitrary HTTP requests (T1046), cloud service discovery (T1526), and access to cloud metadata endpoints for unsecured credentials (T1552.005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the SSRF vulnerability by identifying, reporting, and applying the specific patch released in BentoML version 1.4.19.
Requires validation of user-provided URLs in multipart form data and JSON handlers to block malicious internal or restricted resource requests.
Enforces boundary protections to monitor and restrict the BentoML server's outbound HTTP requests to internal networks, cloud metadata, or restricted resources.