{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T10:39:17.374","vulnerabilities":[{"cve":{"id":"CVE-2025-54381","sourceIdentifier":"security-advisories@github.com","published":"2025-07-29T23:15:32.947","lastModified":"2025-08-05T15:41:26.900","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.0 until 1.4.19, the file upload processing system contains an SSRF vulnerability that allows unauthenticated remote attackers to force the server to make arbitrary HTTP requests. The vulnerability stems from the multipart form data and JSON request handlers, which automatically download files from user-provided URLs without validating whether those URLs point to internal network addresses, cloud metadata endpoints, or other restricted resources. The documentation explicitly promotes this URL-based file upload feature, making it an intended design that exposes all deployed services to SSRF attacks by default. Version 1.4.19 contains a patch for the issue."},{"lang":"es","value":"BentoML es una librería de Python para crear sistemas de servicios en línea optimizados para aplicaciones de IA e inferencia de modelos. En las versiones 1.4.0 a 1.4.19, el sistema de procesamiento de carga de archivos contiene una vulnerabilidad SSRF que permite a atacantes remotos no autenticados forzar al servidor a realizar solicitudes HTTP arbitrarias. La vulnerabilidad se origina en los manejadores de datos de formularios multiparte y solicitudes JSON, que descargan archivos automáticamente desde URL proporcionadas por el usuario sin validar si estas URL apuntan a direcciones de red internas, endpoints de metadatos en la nube u otros recursos restringidos. La documentación promueve explícitamente esta función de carga de archivos basada en URL, lo que la convierte en un diseño que expone todos los servicios implementados a ataques SSRF por defecto. La versión 1.4.19 incluye un parche para este problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":5.3}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:*","versionStartIncluding":"1.4.0","versionEndExcluding":"1.4.19","matchCriteriaId":"FDC38760-A29D-4F73-A6EE-1AEF5BE60C37"}]}]}],"references":[{"url":"https://github.com/bentoml/BentoML/commit/534c3584621da4ab954bdc3d814cc66b95ae5fb8","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/bentoml/BentoML/security/advisories/GHSA-mrmq-3q62-6cc8","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]},{"url":"https://github.com/bentoml/BentoML/security/advisories/GHSA-mrmq-3q62-6cc8","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}