A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in the BentoML Python library. An unauthenticated remote attacker could exploit this flaw in the file upload system to force the server to make unauthorized requests to internal network resources, potentially leading to data exfiltration, internal network scanning, and compromise of the underlying cloud infrastructure. Due to the critical severity (CVSS 9.9), immediate remediation is required to prevent a potential breach.

The vulnerability is a Server-Side Request Forgery (SSRF) located in the file upload processing component of BentoML. An attacker can craft a malicious request to the file upload endpoint, providing a URL instead of a file. The vulnerable server will then fetch the content from the attacker-supplied URL, allowing the attacker to interact with services on the server's internal network or cloud provider metadata services, which are otherwise inaccessible from the outside.

This vulnerability is rated as critical severity with a CVSS score of 9.9, posing a significant risk to the organization. Successful exploitation could allow an attacker to bypass perimeter security controls and gain unauthorized access to the internal network. Potential consequences include theft of sensitive data from internal databases, compromise of cloud credentials from metadata services (e.g., AWS IMDS), and the ability to pivot deeper into the corporate network. This could result in a major data breach, significant financial loss, and severe reputational damage.

Immediate Action: Immediately upgrade all instances of BentoML to version 1.4.19 or newer, as recommended by the vendor. After patching, it is crucial to monitor systems for any signs of post-exploitation activity and thoroughly review access logs for indicators of compromise that may have occurred prior to the update.

Proactive Monitoring: Security teams should monitor for anomalous outbound network traffic originating from servers running BentoML. Specifically, look for requests to internal IP addresses (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or cloud metadata endpoints (e.g., 169.254.169.254). Application logs should be reviewed for file upload attempts that contain URLs (e.g., "http://", "https://") instead of legitimate file data.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Egress Filtering: Use a firewall to strictly control and limit outbound network connections from the BentoML server, allowing access only to known and required external endpoints.
• Web Application Firewall (WAF): Deploy a WAF with rules designed to inspect and block malicious file upload requests that contain URL patterns or attempt to exploit SSRF.
• Network Segmentation: Isolate the BentoML service in a restricted network segment with no access to sensitive internal systems or cloud metadata services.

Public Exploit Available: false

Given the critical CVSS score of 9.9, this vulnerability represents a clear and present danger to the organization's infrastructure. We strongly recommend that all affected BentoML instances be patched immediately, without waiting for evidence of active exploitation. The potential for an attacker to compromise cloud credentials and pivot to the internal network is severe. If patching is delayed for any reason, the compensating controls listed above must be implemented as a matter of urgency.