AI Threat Alert

CVE-2022-36551: Label Studio: SSRF + file read, self-reg bypass

GHSA-pc6f-259w-w3j6 MEDIUM PoC AVAILABLE
Published October 4, 2022
CISO Take

Any internet-exposed Label Studio instance running <1.6.0 is trivially exploitable — self-registration is on by default, so an unauthenticated attacker can register, then use the Data Import SSRF to read arbitrary files including credentials, model artifacts, and cloud metadata endpoints. Patch to 1.6.0 immediately and audit access logs for unexpected import requests. If patching is not immediate, disable self-registration and restrict Data Import to trusted users.

What is the risk?

Effective risk is higher than the CVSS 6.5 Medium suggests. The self-registration default turns this from an authenticated vulnerability into a de facto unauthenticated one for any publicly reachable instance. SSRF + arbitrary file read in an ML annotation platform gives attackers access to training datasets, labeling credentials, cloud provider metadata (AWS IMDS, GCP metadata), and internal network pivoting. EPSS of 0.047 reflects low automated exploitation activity, but the exploit primitive is trivial to reproduce manually.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Label Studio pip < 1.6.0 1.6.0
27.7K 1 dependents Pushed 4d ago 71% patched ~145d to patch Full package profile →

Do you use Label Studio? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
5.1%
chance of exploitation in 30 days
Higher than 91% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Exploit published in Exploit-DB
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

What should I do?

6 steps

  1. PATCH

    Upgrade to label-studio >= 1.6.0 immediately — this is the only complete fix.

  2. DISABLE self-registration if running <1.6.0: set LABEL_STUDIO_DISABLE_SIGNUP_WITHOUT_LINK=1 or restrict via reverse proxy.

  3. NETWORK

    Place Label Studio behind VPN or IP allowlist; it should never be publicly accessible without authentication.

  4. DETECT

    Search access logs for Data Import requests containing 'file://', '169.254.169.254', '127.0.0.1', or internal RFC-1918 ranges in URL parameters.

  5. ROTATE

    If instance was exposed, rotate all credentials stored in config files, environment variables, and connected cloud accounts.

  6. AUDIT

    Review all Data Import history for suspicious file:// or internal URLs.

How is it classified?

Data Extraction Auth Bypass Data Leakage Training Data Framework AML.T0021 AML.T0025 AML.T0035 AML.T0037 AML.T0049 AML.T0055

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 10 - Data and Data Governance Article 9 - Risk Management System
ISO 42001
A.8.2 - Data Security in AI Lifecycle A.9.2 - Access Control for AI Systems
NIST AI RMF
MANAGE 2.4 - Residual risks and negative impacts are managed MAP 1.5 - Organizational risk tolerance and context
OWASP LLM Top 10
LLM03 - Training Data Poisoning

Frequently Asked Questions

What is CVE-2022-36551?

Any internet-exposed Label Studio instance running <1.6.0 is trivially exploitable — self-registration is on by default, so an unauthenticated attacker can register, then use the Data Import SSRF to read arbitrary files including credentials, model artifacts, and cloud metadata endpoints. Patch to 1.6.0 immediately and audit access logs for unexpected import requests. If patching is not immediate, disable self-registration and restrict Data Import to trusted users.

Is CVE-2022-36551 actively exploited?

A working exploit for CVE-2022-36551 is published in Exploit-DB, increasing the risk of exploitation.

How to fix CVE-2022-36551?

1. PATCH: Upgrade to label-studio >= 1.6.0 immediately — this is the only complete fix. 2. DISABLE self-registration if running <1.6.0: set LABEL_STUDIO_DISABLE_SIGNUP_WITHOUT_LINK=1 or restrict via reverse proxy. 3. NETWORK: Place Label Studio behind VPN or IP allowlist; it should never be publicly accessible without authentication. 4. DETECT: Search access logs for Data Import requests containing 'file://', '169.254.169.254', '127.0.0.1', or internal RFC-1918 ranges in URL parameters. 5. ROTATE: If instance was exposed, rotate all credentials stored in config files, environment variables, and connected cloud accounts. 6. AUDIT: Review all Data Import history for suspicious file:// or internal URLs.

What systems are affected by CVE-2022-36551?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data labeling platforms, MLOps infrastructure.

What is the CVSS score for CVE-2022-36551?

CVE-2022-36551 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 5.09%.

What is the AI security impact?

Affected AI Architectures

training pipelinesdata labeling platformsMLOps infrastructure

MITRE ATLAS Techniques

AML.T0021 Establish Accounts
AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 10, Article 9
ISO 42001: A.8.2, A.9.2
NIST AI RMF: MANAGE 2.4, MAP 1.5
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF. This issue is fixed in version 1.6.0.

Exploitation Scenario

Attacker discovers a Label Studio instance via Shodan/Censys. Self-registration is enabled (default). Attacker registers a free account. Using the Data Import feature, attacker submits a crafted import request pointing to 'file:///etc/passwd' or 'http://169.254.169.254/latest/meta-data/iam/security-credentials/' to harvest AWS instance role credentials. With cloud credentials, attacker pivots to S3 buckets containing training datasets, potentially exfiltrating proprietary labeled data or injecting poisoned samples. If the instance runs with broad IAM permissions (common in ML environments), full cloud account compromise is achievable from a single SSRF request.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
October 4, 2022
Last Modified
September 27, 2024
First Seen
March 24, 2026

Related Vulnerabilities

HIGH CVE-2025-25297 8.6

Label Studio: SSRF via S3 endpoint exposes internal services

Same package: label-studio
HIGH CVE-2025-5173 7.8

label-studio-ml: PyTorch .pt deserialization RCE in YOLO loader

Same package: label-studio
MEDIUM CVE-2025-25296 6.1

Label Studio: reflected XSS via label_config param

Same package: label-studio
HIGH CVE-2026-22033

label-studio: XSS enables session hijacking

Same package: label-studio
HIGH CVE-2025-47783

Label Studio: XSS enables unauthorized actions via CSRF

Same package: label-studio
Back to Threat Feed