You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

Blind SSRF in Kubeflow Pipelines API Server

Researcher: n00bpr0gramer
Target: Kubeflow Pipelines 2.2.0 (kubeflow/pipelines)
Program: huntr.com (Kubeflow Bounty)
Severity: HIGH (CVSS 3.1: 7.5 β€” AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Status: Submitted, Pending Triage
Date: 2026-06-09

Summary

The Kubeflow Pipelines API Server (ml-pipeline) uses Go's http.DefaultClient when fetching pipeline version specs from user-supplied URLs. The CreatePipelineAndVersion (POST /apis/v2beta1/pipelines/create) and CreatePipelineVersion (POST /apis/v2beta1/pipelines/{id}/versions) endpoints accept a packageUrl.pipelineUrl field and make an HTTP GET to that URL with zero validation.

http.DefaultClient has no timeout, no IP restrictions, and no redirect policy β€” allowing an authenticated attacker to force the server to fetch arbitrary URLs including cloud provider metadata endpoints (169.254.x.x), internal Kubernetes services, and other cluster-internal resources.

Root Cause

File: backend/src/apiserver/server/pipeline_server.go (tag 2.2.0)

func NewPipelineServer(resourceManager *resource.ResourceManager, options *PipelineServerOptions) *PipelineServer {
    return &PipelineServer{
        resourceManager: resourceManager,
        httpClient: http.DefaultClient,  // Line 201-202 β€” VULNERABLE
        options: options,
    }
}

http.DefaultClient has:

  • No timeout β€” requests hang indefinitely
  • No IP validation β€” private IPs (10.x, 172.16-31.x, 192.168.x, 169.254.x) reachable
  • No redirect policy β€” redirects followed automatically (up to 10)
  • No transport customization β€” default http.Transport with no restrictions

Two vulnerable code paths:

  • pipeline_server.go:155 β€” s.httpClient.Get(pipelineUrl.String()) (CreatePipelineAndVersion)
  • pipeline_server.go:636 β€” s.httpClient.Get(pipelineUrl.String()) (CreatePipelineVersion)

Impact

This is a blind SSRF β€” the response body is not returned. However, detection and exploitation are possible through status code leakage, DNS resolution leakage, connection timing differences, and TLS behavior analysis.

Cloud Metadata Access

The 169.254.169.254 IP is reachable from any Kubernetes pod in a cloud environment, exposing instance metadata and potentially IAM credentials.

Internal Service Discovery

Cluster-internal networks can be systematically mapped including the Kubernetes API server, internal DNS, and other Kubeflow services.

PoC Files

File Description
poc_kubeflow_ssrf.py Standalone Python PoC script
poc_kubeflow_ssrf_output.txt Full PoC output with curl commands and evidence

PoC Results (7/10 Tests Confirmed)

Test Result
OCI IMDS v1 βœ… VULNERABLE β€” HTTP 200 from metadata
OCI IMDS v2 βœ… VULNERABLE β€” status code 403 leaked
AWS IMDS βœ… VULNERABLE β€” status code leakage
GCP Metadata βœ… VULNERABLE β€” status code leakage
K8s API Server βœ… VULNERABLE β€” TLS handshake completed
DNS OOB exfiltration βœ… VULNERABLE β€” DNS resolution leak
Port scanning βœ… VULNERABLE β€” connection refused vs timeout

Affected Endpoints

Method Path Vulnerable Line
POST /apis/v2beta1/pipelines/create pipeline_server.go:155
POST /apis/v2beta1/pipelines/{id}/versions pipeline_server.go:636

References

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support