CVE-2025-25297 — HIGH (CVSS 8.6) AI Security Vulnerability

Q: Is CVE-2025-25297 actively exploited?

No confirmed active exploitation of CVE-2025-25297 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-25297?

1. Patch: Upgrade Label Studio to ≥1.16.0 immediately — no functional workaround exists for S3 users. 2. Detect: Audit all S3 storage configurations in your Label Studio instance; flag any s3_endpoint values pointing to RFC-1918 ranges (10.x, 172.16-31.x, 192.168.x) or 169.254.169.254. 3. Contain: Apply egress firewall rules restricting Label Studio's outbound HTTP to known S3 service endpoints only; block metadata IPs at the network level. 4. Investigate: On AWS, review CloudTrail for anomalous API calls originating from the instance role; rotate credentials if any exposure window existed. 5. Harden: Enable IMDSv2 (token-required mode) on all AWS instances running Label Studio to mitigate metadata endpoint SSRF as a defense-in-depth measure.

Q: What systems are affected by CVE-2025-25297?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data labeling platforms, MLOps platforms, cloud-hosted AI infrastructure.

Q: What is the CVSS score for CVE-2025-25297?

CVE-2025-25297 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 0.05%.

CISO Take

Label Studio deployments with S3 storage integrations are vulnerable to SSRF that can reach cloud metadata endpoints (AWS IMDSv1/GCP), harvest temporary IAM credentials, and expose internal services — full response bodies leak in error messages making this a reliable exfiltration primitive. Upgrade to 1.16.0 immediately; no partial workaround preserves S3 functionality. If exploitation is suspected on cloud-hosted instances, rotate all IAM roles associated with the Label Studio server without delay.

Risk Assessment

High risk for organizations running Label Studio in cloud environments or behind shared internal networks. The SSRF vector to AWS IMDSv1 (169.254.169.254) is a well-documented lateral movement path that has led to major cloud breaches. Error messages returning full HTTP response bodies elevate this beyond typical SSRF — it becomes a reliable read primitive for any internal HTTP service. The CVSS vector scores PR:N (no privileges), though the writeup implies an authenticated user is required; regardless, barrier to exploitation is low given Label Studio's common trial/self-serve access model and the trivial payload needed.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
label-studio	pip	< 1.16.0	`1.16.0`
27.3K 1 dependents Pushed yesterday 71% patched ~145d to patch Full package profile →

Do you use label-studio? You're affected.

Severity & Risk

CVSS 3.1

8.6 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 16% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Changed

C High

I None

A None

Recommended Action

5 steps

Patch: Upgrade Label Studio to ≥1.16.0 immediately — no functional workaround exists for S3 users.
Detect: Audit all S3 storage configurations in your Label Studio instance; flag any s3_endpoint values pointing to RFC-1918 ranges (10.x, 172.16-31.x, 192.168.x) or 169.254.169.254.
Contain: Apply egress firewall rules restricting Label Studio's outbound HTTP to known S3 service endpoints only; block metadata IPs at the network level.
Investigate: On AWS, review CloudTrail for anomalous API calls originating from the instance role; rotate credentials if any exposure window existed.
Harden: Enable IMDSv2 (token-required mode) on all AWS instances running Label Studio to mitigate metadata endpoint SSRF as a defense-in-depth measure.

Classification

Data Extraction Auth Bypass Framework Training Data AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - AI risk assessment

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain deployment

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2025-25297?

Label Studio deployments with S3 storage integrations are vulnerable to SSRF that can reach cloud metadata endpoints (AWS IMDSv1/GCP), harvest temporary IAM credentials, and expose internal services — full response bodies leak in error messages making this a reliable exfiltration primitive. Upgrade to 1.16.0 immediately; no partial workaround preserves S3 functionality. If exploitation is suspected on cloud-hosted instances, rotate all IAM roles associated with the Label Studio server without delay.

Is CVE-2025-25297 actively exploited?

No confirmed active exploitation of CVE-2025-25297 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-25297?

1. Patch: Upgrade Label Studio to ≥1.16.0 immediately — no functional workaround exists for S3 users. 2. Detect: Audit all S3 storage configurations in your Label Studio instance; flag any s3_endpoint values pointing to RFC-1918 ranges (10.x, 172.16-31.x, 192.168.x) or 169.254.169.254. 3. Contain: Apply egress firewall rules restricting Label Studio's outbound HTTP to known S3 service endpoints only; block metadata IPs at the network level. 4. Investigate: On AWS, review CloudTrail for anomalous API calls originating from the instance role; rotate credentials if any exposure window existed. 5. Harden: Enable IMDSv2 (token-required mode) on all AWS instances running Label Studio to mitigate metadata endpoint SSRF as a defense-in-depth measure.

What systems are affected by CVE-2025-25297?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data labeling platforms, MLOps platforms, cloud-hosted AI infrastructure.

What is the CVSS score for CVE-2025-25297?

CVE-2025-25297 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

## Description Label Studio's S3 storage integration feature contains a Server-Side Request Forgery (SSRF) vulnerability in its endpoint configuration. When creating an S3 storage connection, the application allows users to specify a custom S3 endpoint URL via the s3_endpoint parameter. This endpoint URL is passed directly to the boto3 AWS SDK without proper validation or restrictions on the protocol or destination. The vulnerability allows an attacker to make the application send HTTP requests to arbitrary internal services by specifying them as the S3 endpoint. When the storage sync operation is triggered, the application attempts to make S3 API calls to the specified endpoint, effectively making HTTP requests to the target service and returning the response in error messages. This SSRF vulnerability enables attackers to bypass network segmentation and access internal services that should not be accessible from the external network. The vulnerability is particularly severe because error messages from failed requests contain the full response body, allowing data exfiltration from internal services. ## Steps to reproduce 1. Create an account in Label Studio 2. Create a new project with basic configuration 3. Create an S3 storage connection with the following configuration: ```json { "project": 1, "title": "Test Storage", "bucket": "<filename>", "s3_endpoint": "http://internal-web", "use_blob_urls": true, "aws_access_key_id": "test", "aws_secret_access_key": "test" } ``` 4. Trigger a storage sync operation by sending a POST request to `/api/storages/s3/[storage_id]/sync` The application will attempt to connect to the specified endpoint URL as if it were an S3 service. When the request fails due to invalid S3 API responses, the error message will contain the raw response from the internal service, allowing access to internal resources. ## Mitigations - Implement strict validation of S3 endpoint URLs to allow only valid S3service endpoints - Add an allowlist of endpoint domains and protocols - Sanitize error messages to prevent leakage of sensitive information from failed requests - Consider implementing network-level controls to restrict outbound connections from the application server ## Impact This vulnerability has high severity as it allows authenticated users to make requests to arbitrary internal services from the application server, potentially exposing sensitive internal resources and bypassing network segmentation. The inclusion of response data in error messages makes this particularly effective for data exfiltration.

Exploitation Scenario

An attacker creates a free trial account on a self-hosted Label Studio instance. They POST a new S3 storage configuration with s3_endpoint set to http://169.254.169.254/latest/meta-data/iam/security-credentials/RoleName. Upon triggering a sync via /api/storages/s3/[id]/sync, Label Studio's boto3 client issues an HTTP GET to the AWS instance metadata service. The request fails as a valid S3 response, but the full metadata payload — including AccessKeyId, SecretAccessKey, and Token — is returned in the error message to the attacker. With these temporary credentials the attacker accesses S3 training data buckets, exfiltrates proprietary ML datasets, and pivots laterally to other AWS services within the instance role's permission boundary.