CRITICAL Patch AvailableCVE-2025-31337

Server-Side Request Forgery in AWS Bedrock via Malicious Multimodal URL Input

Discovered 5 November 2025 0 views

Overview

A critical Server-Side Request Forgery (SSRF) vulnerability was discovered in a multimodal foundation model offered through AWS Bedrock. The model allowed users to provide a URL to an image, which the AWS backend infrastructure would then fetch and process. Researchers found that the URL fetching service lacked proper validation and filtering, allowing it to access internal AWS network endpoints. By providing a specially crafted URL, such as `http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE_NAME]`, an attacker could trick the service into making a request to the EC2 metadata service. The response, containing temporary AWS IAM credentials, would then be processed by the model. While the model itself would not directly expose the credentials, the attacker could infer their contents through carefully designed prompts that caused the model to error out or behave in specific ways based on the fetched content, or if the model's output could reflect the input in any way. This vulnerability allowed an unauthenticated attacker to pivot from a public-facing API and gain privileged access to the internal AWS infrastructure supporting the Bedrock service, posing a severe risk to the platform and its customers' data.

Affected Systems

AWS Bedrock (specific multimodal models, service patched on 2025-11-06)

Testing Guide

1. Using the affected model API, submit a request with an image URL pointing to a service you control that can log incoming requests (e.g., a Burp Suite Collaborator or Interactsh URL). 2. Verify that the service receives a request from an AWS IP address. 3. Attempt to submit a request with the URL `http://169.254.169.254/`. 4. In a patched system, this request should be blocked and result in an error message. In a vulnerable system, it would result in a different error or a timeout as the service attempts to connect to the metadata endpoint.

Mitigation Steps

1. **Consumer Mitigation:** This vulnerability was in the AWS backend, so no direct user action is required. All customers are protected after the patch date. 2. **Service Provider Best Practices:** Implement strict allow-lists for egress traffic from backend services that fetch user-provided URLs. Deny access to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and especially to the metadata service IP (169.254.169.254). 3. **URL Validation:** Use a robust URL parsing library and validate that the resolved IP address is not a private or reserved address before making the request. 4. **Isolate Fetching Services:** Run URL fetching services in a separate, heavily firewalled VPC with no access to internal production services or metadata endpoints.

Patch Details

AWS deployed a network-level fix to the backend fetching service, blocking all requests to internal IP ranges and the EC2 metadata service.

Sources

← Back to vulnerabilities