SSRF in Azure OpenAI 'On Your Data' Feature Exposes Internal Network Services
Overview
A Server-Side Request Forgery (SSRF) vulnerability was discovered in the Azure OpenAI Service's 'On Your Data' feature, specifically when configuring an Azure Blob Storage data source via a public URL. The feature allows users to connect their own data to models like GPT-4. When a user provided a URL to an external data source (e.g., a PDF or text file for RAG), the backend service responsible for fetching and indexing this data did not properly validate the provided URL. An attacker could supply a URL pointing to internal, non-public IP addresses within the Azure fabric, such as the instance metadata service (169.254.169.254) or other internal services on the `10.0.0.0/8` range. By crafting specific URLs, an attacker could force the Azure service to make requests to these internal endpoints. The most critical impact was the ability to query the Azure Instance Metadata Service (IMDS), allowing the exfiltration of temporary service credentials associated with the underlying virtual machine. These credentials could then be used to pivot and gain unauthorized access to other Azure resources, like Storage Accounts or Key Vaults, within the same managed environment. Microsoft addressed the vulnerability by implementing a strict allow-list for outgoing connections and enhancing URL validation logic to block requests to internal and loopback IP addresses.
Affected Systems
Testing Guide
1. In the Azure OpenAI Studio, navigate to the 'Add your data' section. 2. Select 'URL' as the data source type. 3. Attempt to enter a URL pointing to a service you control that can log incoming requests, but use an internal IP address or a well-known SSRF testing domain (e.g., `http://169.254.169.254/metadata/instance?api-version=2021-02-01`). 4. If the system is patched, the request will be blocked with a validation error. On a vulnerable system, your logging service would receive a request originating from an Azure IP address.
Mitigation Steps
1. **Service-Side Patch:** This vulnerability was patched by Microsoft on the Azure backend. Customer action is not required to receive the fix. 2. **Use Private Endpoints:** Whenever possible, connect Azure OpenAI to data sources using Azure Private Endpoints instead of public URLs. This ensures traffic never traverses the public internet and is not susceptible to this class of SSRF attack. 3. **Network Segmentation:** Employ strict network security groups (NSGs) and firewall rules for all Azure resources, restricting inbound and outbound traffic to only what is absolutely necessary. 4. **Audit Data Source Configurations:** Regularly review the data sources connected to your Azure OpenAI instances and ensure they point to legitimate, intended endpoints.
Patch Details
Patched by Microsoft in a rolling update to the Azure OpenAI backend services between July 22 and July 24, 2025.