CVE-2025-54381

CVE-2025-54381 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) in the BentoML Python library, which is used for building online serving systems optimized for AI applications and model inference. The issue affects versions 1.4.0 through 1.4.19 and resides in the file upload processing system, specifically the multipart form data and JSON request handlers. These handlers automatically download files from user-provided URLs without validation, allowing requests to internal network addresses, cloud metadata endpoints, or other restricted resources. The feature is promoted in the documentation as an intended URL-based file upload mechanism, leaving deployed BentoML services exposed by default. The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L).

Unauthenticated remote attackers can exploit this vulnerability by sending crafted requests with malicious URLs, forcing the BentoML server to initiate arbitrary HTTP requests on their behalf. This enables attackers to scan and interact with internal networks, access sensitive metadata services (such as those in cloud environments), or probe restricted resources that are inaccessible from the public internet.

The BentoML project has addressed the issue in version 1.4.19 via a patch detailed in GitHub commit 534c3584621da4ab954bdc3d814cc66b95ae5fb8. Security practitioners should upgrade to this version immediately, as advised in the GitHub Security Advisory GHSA-mrmq-3q62-6cc8.

Given BentoML's focus on AI model serving, this SSRF vulnerability is particularly relevant for ML/AI deployments, where exposed inference endpoints could be leveraged to pivot into internal infrastructure hosting training data or proprietary models. No public reports of real-world exploitation were noted at publication on 2025-07-29.