Bentoml Vulnerability Allows Remote Code Execution On Ai Servers

TL;DR: A captious deserialization vulnerability (CVSS 9.8 – CVE-2025-27520) successful BentoML (v1.3.8–1.4.2) lets attackers execute distant codification without authentication. Discovered by Checkmarx Zero. Upgrade to v1.4.3 immediately. WAF workaround is limited.

A captious information vulnerability has been identified successful BentoML, a wide utilized Python model for building and moving AI-powered online services. This vulnerability, tracked arsenic CVE-2025-27520 pinch a precocious severity people of 9.8 and discovered by cybersecurity researchers astatine Checkmarx Zero, could let attackers who aren’t moreover logged successful to return complete power of nan servers moving these AI services.

According to Checkmarx investigation shared pinch Hackread.com, attackers tin utilization nan flaw by sending crafted malicious information to a BentoML server, enabling RCE (remote codification execution). This could lead to information theft aliases afloat server takeover.

The problem lies wrong a circumstantial portion of BentoML’s codification called nan deserialize_value() function, located successful a record named serde.py. This usability takes prepared information successful a typical format (called serialized data) and turns it backmost into a usable shape for nan AI service.

However, researchers recovered that this process does not decently cheque nan incoming data, truthful an attacker tin sneak successful malicious instructions disguised arsenic regular data, and BentoML unknowingly runs nan attacker’s codification erstwhile moving this data.

Interestingly, according to Checkmarx’s report, this vulnerability is fundamentally a repetition of CVE-2024-2912, which was fixed successful BentoML type 1.2.5., but nan hole was later removed successful BentoML type 1.3.8, causing nan aforesaid vulnerable weakness to reappear.

“Both CVEs woody pinch nan aforesaid nonstop issue: an Insecure Deserialization vulnerability that tin beryllium exploited by sending an HTTP petition to immoderate valid endpoint and trigger RCE,” Checkmarx’s writer Bruno Dias successful a blog post.

Attackers tin utilization this by creating a pickle successful BentoML. In Python, Pickle is simply a measurement to prevention analyzable information structures into a binary record truthful they tin beryllium easy loaded later. This pickled information tin incorporate instructions for nan machine to execute. So, an attacker tin create a typical pickle that instructs nan machine to execute harmful commands, specified arsenic opening a backdoor for a Command-and-control server connection.

While nan first security advisory from NIST suggested versions 1.3.4 done 1.4.2 were vulnerable, Checkmarx researchers recovered that nan number of affected versions is lower, arsenic 1.3.8 done 1.4.2 were vulnerable.

[wp_ad_camp_1

The bully news is that a hole has been released successful BentoML type 1.4.3. that prevents nan strategy from processing HTTP requests. So, you should instantly update to nan latest type to protect your AI services from hackers.

If upgrading is not possible, researchers propose utilizing a Web Application Firewall (WAF) to artifact incoming web postulation containing nan problematic contented type and serialized data. However, this mightiness not destruct nan risk.