Cyber Resilience

CVE-2025-54381

CriticalPublic PoC

Published: 29 July 2025

Published
29 July 2025
Modified
05 August 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
EPSS Score 0.0131 80.2th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54381 is a critical-severity SSRF (CWE-918) vulnerability in Bentoml Bentoml. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked in the top 19.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

BentoML is a Python library used to build online serving systems for AI applications and model inference. CVE-2025-54381 is a server-side request forgery vulnerability present in versions 1.4.0 through 1.4.19. It resides in the multipart form data and JSON request handlers that process file uploads; these handlers automatically fetch content from URLs supplied by clients without checking whether the destinations are internal network addresses, cloud metadata services, or other restricted endpoints. The library's documentation explicitly encourages this URL-based upload pattern, leaving all default deployments exposed.

Unauthenticated remote attackers can exploit the flaw simply by submitting crafted upload requests containing arbitrary URLs. Successful exploitation allows the BentoML server to be coerced into issuing HTTP requests to internal or otherwise inaccessible resources, potentially disclosing sensitive data or interacting with cloud instance metadata.

The GitHub Security Advisory GHSA-mrmq-3q62-6cc8 and the associated commit 534c3584621da4ab954bdc3d814cc66b95ae5fb8 state that the issue is resolved in version 1.4.19. Administrators should upgrade immediately and review any custom URL-handling logic that may remain after the patch.

The vulnerability affects an AI/ML serving framework, but the EPSS score has remained flat at 0.0131 with no observed increase after disclosure.

EU & UK References

Vulnerability details

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.0 until 1.4.19, the file upload processing system contains an SSRF vulnerability that allows unauthenticated remote attackers to force the server…

more

to make arbitrary HTTP requests. The vulnerability stems from the multipart form data and JSON request handlers, which automatically download files from user-provided URLs without validating whether those URLs point to internal network addresses, cloud metadata endpoints, or other restricted resources. The documentation explicitly promotes this URL-based file upload feature, making it an intended design that exposes all deployed services to SSRF attacks by default. Version 1.4.19 contains a patch for the issue.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, bentoml

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1526 Cloud Service Discovery Discovery
An adversary may attempt to enumerate the cloud services running on a system after gaining access.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF vulnerability enables exploitation of public-facing application (T1190), internal network service discovery via arbitrary HTTP requests (T1046), cloud service discovery (T1526), and access to cloud metadata endpoints for unsecured credentials (T1552.005).

CVEs Like This One

CVE-2026-24123Same product: Bentoml Bentoml
CVE-2026-33744Same product: Bentoml Bentoml
CVE-2026-44345Same product: Bentoml Bentoml
CVE-2026-35044Same product: Bentoml Bentoml
CVE-2026-27905Same product: Bentoml Bentoml
CVE-2026-35043Same product: Bentoml Bentoml
CVE-2026-44346Same product: Bentoml Bentoml
CVE-2026-32096Shared CWE-918
CVE-2026-31945Shared CWE-918
CVE-2026-34163Shared CWE-918

Affected Assets

bentoml
bentoml
1.4.0 — 1.4.19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the SSRF vulnerability by identifying, reporting, and applying the specific patch released in BentoML version 1.4.19.

prevent

Requires validation of user-provided URLs in multipart form data and JSON handlers to block malicious internal or restricted resource requests.

prevent

Enforces boundary protections to monitor and restrict the BentoML server's outbound HTTP requests to internal networks, cloud metadata, or restricted resources.

References