CVE-2025-25297

CVE-2025-25297 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting Label Studio, an open-source data labeling tool, in versions prior to 1.16.0. The issue resides in the S3 storage integration feature, specifically the endpoint configuration. When creating an S3 storage connection, users can specify a custom S3 endpoint URL via the s3_endpoint parameter, which is passed directly to the boto3 AWS SDK without validation of the protocol or destination. This allows arbitrary HTTP requests to internal services when the storage sync operation is triggered.

Unauthenticated remote attackers (AV:N/AC:L/PR:N/UI:N) can exploit this vulnerability over the network with low complexity and no user interaction. By setting the s3_endpoint to target internal services, attackers cause the application to issue S3 API calls to those endpoints during sync operations. The responses from these requests appear in error messages, including full response bodies, enabling attackers to bypass network segmentation, access otherwise isolated internal services, and exfiltrate sensitive data. The vulnerability has a CVSS v3.1 base score of 8.6, with high confidentiality impact and changed scope (S:C/C:H/I:N/A:N).

The patch is available in Label Studio version 1.16.0. Official advisories and the fixing commit are documented on GitHub at https://github.com/HumanSignal/label-studio/security/advisories/GHSA-m238-fmcw-wh58 and https://github.com/HumanSignal/label-studio/commit/06a2b29c1208e1878ccae66e6b84c8b24598fa79.

Label Studio's role as a data labeling tool gives this vulnerability relevance to AI/ML workflows, where it may be deployed to annotate datasets for model training. No public information on real-world exploitation is available.