CVE-2025-54381

Published Jul 29, 2025

Last updated 7 months ago

CVSS critical 9.9

Overview

Description
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.0 until 1.4.19, the file upload processing system contains an SSRF vulnerability that allows unauthenticated remote attackers to force the server to make arbitrary HTTP requests. The vulnerability stems from the multipart form data and JSON request handlers, which automatically download files from user-provided URLs without validating whether those URLs point to internal network addresses, cloud metadata endpoints, or other restricted resources. The documentation explicitly promotes this URL-based file upload feature, making it an intended design that exposes all deployed services to SSRF attacks by default. Version 1.4.19 contains a patch for the issue.
Source
security-advisories@github.com
NVD status
Analyzed
Products
bentoml

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.9
Impact score
5.3
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-918

Social media

Hype score
Not currently trending

  1. How Tenable Found a Way To Bypass a Patch for BentoML’s Server-Side Request Forgery Vulnerability CVE-2025-54381 https://t.co/BH7Hwd8lDR https://t.co/34KfHiSFpF

    @IT_Peurico

    24 Sept 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. How Tenable Found a Way To Bypass a Patch for BentoML’s Server-Side Request Forgery Vulnerability CVE-2025-54381 https://t.co/0YDgJJjcsg https://t.co/BZw8IW2XFH

    @secured_cyber

    22 Sept 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. How Tenable Found a Way To Bypass a Patch for BentoML’s Server-Side Request Forgery Vulnerability CVE-2025-54381 https://t.co/TxZLs1egkh https://t.co/9yA3Jos2Bh

    @secured_cyber

    22 Sept 2025

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. How Tenable Found a Way To Bypass a Patch for BentoML’s Server-Side Request Forgery Vulnerability CVE-2025-54381 https://t.co/vGW7mJBvED https://t.co/b3I4xArsGS

    @valterpcjr

    19 Sept 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. How Tenable Found a Way To Bypass a Patch for BentoML’s Server-Side Request Forgery Vulnerability CVE-2025-54381 https://t.co/3OghIedYfS https://t.co/UjF7zMUInR

    @pcasano

    19 Sept 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. How Tenable Found a Way To Bypass a Patch for BentoML’s Server-Side Request Forgery Vulnerability CVE-2025-54381 https://t.co/nINxykryFf https://t.co/opW1i5wJKz

    @Trej0Jass

    18 Sept 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. How Tenable Found a Way To Bypass a Patch for BentoML’s Server-Side Request Forgery Vulnerability CVE-2025-54381 https://t.co/iqrkms92dM https://t.co/OiHfgydPbE

    @ggrubamn

    17 Sept 2025

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. #CVE-2025-54381 | BentoML - Unauthenticated SSRF (Critical) #BentoML versions 1.4.0 to 1.4.18 are vulnerable to an unauthenticated Server-Side Request Forgery (#SSRF) due to improper validation of user-provided URLs in file upload handlers. This allows attackers to force the ht

    @CheckmarxZero

    30 Jul 2025

    59 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. 🚨BentoML SSRF (CVE-2025-54381) lets attackers force servers to make arbitrary HTTP requests, exposing internal networks! Upgrade to v1.4.19 NOW. Protect your AI apps. 🔒 More info: https://t.co/BJ6cNeIioM https://t.co/jKHzpOzkY2

    @rapidriskradar

    30 Jul 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Warning: SSRF vulnerability in @bentomlai (1.4.0–1.4.18). #CVE-2025-54381 CVSS: 9.9. Unauth attackers can trigger internal HTTP requests via file upload. This flaw exposes deployed AI services to SSRF! Fixed in 1.4.19. #Patch #Patch #Patch https://t.co/OvUZLFY0hA

    @CCBalert

    30 Jul 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 🚨🚨CVE-2025-54381 (CVSS 9.9): BentoML SSRF vuln lets unauthenticated attackers trigger rogue HTTP requests via file uploads, risking internal networks & cloud metadata due to unvalidated URLs. Search by vul.cve Filter👉vul.cve="CVE-2025-54381" ZoomEye Dork👉app="Ben

    @zoomeye_team

    30 Jul 2025

    922 Impressions

    3 Retweets

    13 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  12. [CVE-2025-54381: CRITICAL] BentoML versions 1.4.0-1.4.19 have SSRF vulnerabilities allowing unauthenticated attackers to make server HTTP requests; Patch available in version 1.4.19.#cve,CVE-2025-54381,#cybersecurity https://t.co/bMjVSRzltJ https://t.co/3BckdAJ8mO

    @CveFindCom

    29 Jul 2025

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.36, the safe_extract_tarfile() function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, not the symlink's target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem. This vulnerability is fixed in 1.4.36.CVE-2026-27905
  2. BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to version 1.4.34, BentoML's `bentofile.yaml` configuration allows path traversal attacks through multiple file path fields (`description`, `docker.setup_script`, `docker.dockerfile_template`, `conda.environment_yml`). An attacker can craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files from the filesystem into the bento archive. This enables supply chain attacks where sensitive files (SSH keys, credentials, environment variables) are silently embedded in bentos and exposed when pushed to registries or deployed. Version 1.4.34 contains a patch for the issue.CVE-2026-24123
  3. BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.8, there was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. This vulnerability is fixed in 1.4.8.CVE-2025-32375
  4. BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3.CVE-2025-27520

References

Sources include official advisories and independent security research.