HIGH Patch Available

Cross-Tenant Data Exfiltration in AWS Bedrock via Model-Induced SSRF

Discovered 10 November 2025 1 views

Overview

Security researchers discovered a high-severity vulnerability in AWS Bedrock's implementation of a third-party image analysis model. The vulnerability, dubbed 'Model-Bleed,' allowed an attacker to induce a Server-Side Request Forgery (SSRF) attack by submitting a carefully crafted image, leading to cross-tenant data leakage. The attack vector exploited a flaw in the backend service that pre-processed image files before passing them to the foundational model. The attacker could embed a URL pointing to an internal AWS metadata endpoint within the image's metadata (e.g., EXIF data). The vulnerable pre-processing service would parse this metadata and, without proper validation, make an HTTP request to the embedded URL. This allowed the attacker to query the EC2 Instance Metadata Service (IMDSv2) of the underlying host running the model inference workload. By chaining requests, the attacker could obtain temporary IAM role credentials associated with the Bedrock service. These credentials, while scoped, provided access to internal S3 buckets used for caching and logging. The researchers demonstrated that by repeatedly querying these logging resources, they could capture fragments of data from other tenants whose requests were processed on the same shared hardware, including snippets of prompts and inference results. This vulnerability highlighted the complex security challenges of building multi-tenant AI services, where vulnerabilities can exist not just in the model itself but in the entire data processing pipeline. AWS patched the vulnerability by adding a strict allow-list for all outbound network connections from the image processing environment and implementing more robust metadata sanitization.

Affected Systems

AWS Bedrock (Specific third-party image models)

Testing Guide

1. As a cloud customer, it is not possible or permissible to test for this vulnerability directly. 2. Review security bulletins and notifications from AWS to confirm that your service instances have been patched. 3. Inquire with your AWS support representative about the specific models affected and the patch status for your account.

Mitigation Steps

1. **Rely on provider patches.** As a cloud customer, the primary mitigation is to ensure the cloud provider has addressed the underlying vulnerability. 2. **Use provisioned throughput or dedicated instances** if available for sensitive workloads, which can provide stronger tenant isolation than shared infrastructure. 3. **Encrypt data with customer-managed keys (CMK)** to provide an additional layer of protection. Even if exfiltrated, encrypted data remains secure. 4. **Monitor cloud logs** (e.g., CloudTrail) for any unusual or anomalous behavior originating from the AI service's IAM role.

Patch Details

AWS patched the vulnerability on their backend infrastructure. No customer action was required.

Sources

https://www.wiz.io/blog/leaky-previews-leaking-secrets-from-your-websites-using-generative-ai

← Back to vulnerabilities