CRITICAL Patch Available

Server-Side Request Forgery (SSRF) in Azure AI Studio's Data Import Feature

Discovered 5 September 2025 8 views

Overview

A critical SSRF vulnerability was identified in the Azure AI Studio platform, specifically within the 'Import Data from URL' functionality used for creating new datasets. The feature was designed to allow users to pull data directly from public web servers. However, insufficient validation of user-supplied URLs allowed an authenticated attacker to submit URLs pointing to internal, non-public IP addresses. By providing a URL like `http://169.254.169.254/metadata/instance/compute/credentials?api-version=2021-02-01&format=json`, an attacker could trick the Azure backend service into making a request to the internal Azure Instance Metadata Service (IMDS). This request would execute within the security context of the Azure service's virtual machine, causing the IMDS to return temporary IAM credentials. The attacker could then exfiltrate these credentials through the data import error messages or by directing the output to a controlled server. With these credentials, the attacker could gain unauthorized access to other Azure resources, such as storage accounts and databases, associated with the victim's service principal. The vulnerability exposed sensitive data and provided a pivot point for broader attacks within a victim's Azure environment.

Affected Systems

Azure AI StudioAzure Machine Learning

Testing Guide

1. Log in to your Azure AI Studio account. 2. Navigate to the data creation or import section. 3. Attempt to create a new dataset by providing a URL that points to a service you control that can log incoming HTTP requests (e.g., Burp Collaborator, Interactsh). 4. Try providing URLs targeting internal or loopback addresses, such as `http://127.0.0.1/` or `http://localhost:8080/`. 5. If your logging service receives a request from an Azure-owned IP address, the service may be vulnerable. **Do not attempt to access `169.254.169.254` as this violates cloud provider terms of service.** Confirmation of the patch is best done by reviewing Microsoft's security advisories.

Mitigation Steps

1. **Apply Service-Side Patch:** This vulnerability was patched by Microsoft on the service side. No user action is required for mitigation as the fix is automatically applied to the cloud platform. 2. **Implement Network Controls:** For self-hosted AI infrastructure, enforce strict egress filtering rules to block server-side requests to internal IP ranges and cloud metadata endpoints. 3. **Use Private Endpoints:** When connecting Azure AI services to data sources, prefer using Azure Private Endpoints instead of public URLs to ensure traffic does not traverse the public internet and cannot be redirected. 4. **Audit Access Logs:** Regularly audit cloud access logs for anomalous requests originating from AI service IP ranges, particularly those targeting metadata services.

Patch Details

Microsoft deployed a server-side patch in September 2025, implementing a blocklist for internal IP ranges and metadata service endpoints.

Sources

← Back to vulnerabilities