BentoML Server-Side Request Forgery Vulnerability in File Upload Processing

A server-side request forgery (SSRF) vulnerability has been identified in BentoML versions 1.4.0 prior to 1.4.19. This vulnerability allows unauthenticated remote attackers to manipulate the server into making arbitrary HTTP requests. The issue arises in the file upload processing system, specifically within the multipart form data and JSON request handlers. These handlers automatically download files from user-supplied URLs without properly validating whether the URLs point to internal network addresses, cloud metadata endpoints, or other restricted resources. The vulnerability is exacerbated by the fact that the BentoML documentation promotes this URL-based file upload feature, creating an intended design flaw that exposes deployed services to SSRF attacks by default.

Impact

Exploitation of this vulnerability allows access to internal and cloud metadata services, potentially leading to credential theft. It also enables enumeration and interaction with internal HTTP services, bypassing firewall restrictions to access internal network resources. Additionally, the vulnerability could be used for network reconnaissance from the server's perspective, retrieving sensitive information from HTTP response data, and exploiting internal services through crafted requests.

Reproduction

To reproduce this vulnerability, create a BentoML service that includes file-type input parameters. Once the service is deployed, send a POST request to the endpoint with multipart form data or a JSON body containing a URL that points to an internal resource or cloud metadata service. The server will then make an HTTP request to the specified URL, demonstrating the SSRF vulnerability.

Remediation

Users are advised to update to BentoML version 1.4.19, which includes a patch for this vulnerability. For those using earlier versions, it is recommended to implement manual URL validation in the file upload processing to prevent access to internal network addresses and cloud metadata endpoints.