CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27520 – BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization
https://notcve.org/view.php?id=CVE-2025-27520
04 Apr 2025 — BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3. • https://github.com/bentoml/BentoML/commit/b35f4f4fcc53a8c3fe8ed9c18a013fe0a728e194 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 0CVE-2024-2912 – Insecure Deserialization Leading to RCE in bentoml/bentoml
https://notcve.org/view.php?id=CVE-2024-2912
16 Apr 2024 — An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request. By exploiting this vulnerability, attackers can execute arbitrary commands on the server hosting the BentoML application. The vulnerability is triggered when a serialized object, crafted to execute OS commands upon deserialization, is sent to any valid BentoML endpoint. This issue poses a significant security risk, enabling attackers to compromise the s... • https://github.com/bentoml/bentoml/commit/fd70379733c57c6368cc022ac1f841b7b426db7b • CWE-1188: Initialization of a Resource with an Insecure Default •