CVE-2025-25297 - Label Studio S3 Storage Integration SSRF Vulnerability

Label Studio is a popular open-source data labeling tool used to annotate and classify various types of data, such as images, text, and audio files. Recently, a Server-Side Request Forgery (SSRF) vulnerability was discovered in Label Studio's S3 storage integration feature prior to version 1.16.. This vulnerability allows an attacker to use Label Studio as a proxy to access internal services and even exfiltrate sensitive data. In this post, we will discuss the details of this vulnerability (CVE-2025-25297) and provide a comprehensive overview of the potential risks and mitigations for this issue.

Vulnerability Details

The SSRF vulnerability is located in the S3 storage integration feature of Label Studio, specifically in the endpoint configuration section. This feature allows users to create an S3 storage connection by specifying a custom S3 endpoint URL using the s3_endpoint parameter. The endpoint URL is passed directly to the boto3 AWS SDK without any validation or restrictions on the protocol or destination, essentially allowing an attacker to send HTTP requests to arbitrary internal services by specifying them as the S3 endpoint.

When the storage sync operation is triggered, Label Studio attempts to make S3 API calls to the specified endpoint, effectively sending HTTP requests to the target service and returning the response in error messages. In this way, the SSRF vulnerability allows attackers to bypass network segmentation and access internal services that should be inaccessible from external networks.

Here's an example of the vulnerable code

import boto3

s3 = boto3.client(
    'S3',
    endpoint_url=user_provided_s3_endpoint,  # Vulnerable parameter
    ...
)

s3.list_buckets()

The severity of this vulnerability is further heightened by the fact that error messages from failed requests contain the full response body, potentially allowing attackers to exfiltrate sensitive data from internal services.

Access Label Studio's S3 storage connection configuration page.

2. Provide a custom S3 endpoint URL pointing to an internal service (e.g., http://internal-service.example.com).

Trigger the storage sync operation.

Label Studio will now attempt to make S3 API calls to the specified custom endpoint URL, effectively sending HTTP requests to the attacker's chosen internal service.

Mitigation

Label Studio released a patch for this vulnerability in version 1.16.. The patch implements proper validation and restrictions on the s3_endpoint parameter, preventing the exploitation of this SSRF vulnerability. Users are strongly encouraged to update their installations to the latest version to benefit from this security fix.

Links to original references

- Label Studio GitHub Repository
- Label Studio Changelog 1.16.

Conclusion

The SSRF vulnerability in Label Studio's S3 storage integration feature highlights the importance of proper input validation and secure coding practices when dealing with user-provided data. This vulnerability allowed attackers to bypass network segmentation and access internal services, effectively opening up organisations to a range of potential security risks. Updating to Label Studio version 1.16. or later can help users to protect against this specific vulnerability.

Timeline

Published on: 02/14/2025 20:15:36 UTC