CVE-2025-54381: 
Python vulnerability analysis and mitigation

BentoML, a Python library for building online serving systems optimized for AI apps and model inference, disclosed a critical vulnerability (CVE-2025-54381) affecting versions 1.4.0 through 1.4.19. The vulnerability was discovered on July 29, 2025, and involves a Server-Side Request Forgery (SSRF) in the file upload processing system that allows unauthenticated remote attackers to force the server to make arbitrary HTTP requests (GitHub Advisory).

The vulnerability stems from the multipart form data and JSON request handlers, which automatically download files from user-provided URLs without properly validating whether those URLs point to internal network addresses, cloud metadata endpoints, or other restricted resources. The framework automatically registers any service endpoint with file-type parameters as vulnerable to this attack. The CVSS v3.1 base score is 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L, indicating high severity with network attack vector, low complexity, and no required privileges or user interaction (GitHub Advisory).

The vulnerability can be exploited to access AWS/GCP/Azure cloud metadata services for credential theft, enumerate and interact with internal HTTP services and APIs, bypass firewall restrictions to reach internal network resources, perform network reconnaissance, and potentially retrieve sensitive information disclosed in HTTP response data. The documentation explicitly promotes the URL-based file upload feature, making it an intended design that exposes all deployed services to SSRF attacks by default (GitHub Advisory).

The vulnerability has been patched in version 1.4.19. The fix implements comprehensive URL validation in both serialization paths by adding network restriction checks to prevent access to internal/private network ranges, localhost, and cloud metadata endpoints. Users are strongly advised to upgrade to version 1.4.19 or later (GitHub Patch).