CVE-2025-27520

Published Apr 4, 2025

Last updated 21 days ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-27520 is a Remote Code Execution (RCE) vulnerability found in BentoML, a Python library used for building online serving systems optimized for AI applications and model inference. This vulnerability exists due to insecure deserialization in the `serde.py` file. The vulnerability allows unauthenticated users to execute arbitrary code on the server by sending malicious data payloads as HTTP requests. Specifically, the `deserialize_value()` function deserializes input data without proper validation, enabling attackers to inject malicious payloads that trigger the execution of arbitrary code when deserialized. The vulnerability affects BentoML versions 1.3.8 through 1.4.2 and has been fixed in version 1.4.3.

Description
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3.
Source
security-advisories@github.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-502

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

1

  1. Actively exploited CVE : CVE-2025-27520

    @transilienceai

    26 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. Actively exploited CVE : CVE-2025-27520

    @transilienceai

    26 Apr 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. BentoML の深刻な脆弱性 CVE-2025-27520 が FIX:RCE の恐れと PoC の提供 https://t.co/9klxGd9hgE AI モデルのデプロイ基盤である BentoML に、CVSS 9.8 の深刻な RCE 脆弱性が発生しています。 すでに PoC も公開されていますので、ご利用のチームは、アップデートをお急ぎください。 #AI #ML

    @iototsecnews

    22 Apr 2025

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Actively exploited CVE : CVE-2025-27520

    @transilienceai

    20 Apr 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  5. Actively exploited CVE : CVE-2025-27520

    @transilienceai

    19 Apr 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  6. Metasploitが最新アップデートを発表。新オプション「PIPE_FETCH」でfetch payloadのコマンドサイズを大幅削減。BentoML(CVE-2025-27520)とLangflow(CVE-2025-3248)のRCEモジュール追加。各種モジュールの機能強化とバグ修正も実施。 https://t.co/URXHp3fibR

    @01ra66it

    19 Apr 2025

    2463 Impressions

    6 Retweets

    48 Likes

    9 Bookmarks

    1 Reply

    0 Quotes

  7. Actively exploited CVE : CVE-2025-27520

    @transilienceai

    18 Apr 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  8. Actively exploited CVE : CVE-2025-27520

    @transilienceai

    18 Apr 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  9. Actively exploited CVE : CVE-2025-27520

    @transilienceai

    17 Apr 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. Actively exploited CVE : CVE-2025-27520

    @transilienceai

    16 Apr 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  11. Actively exploited CVE : CVE-2025-27520

    @transilienceai

    15 Apr 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  12. Actively exploited CVE : CVE-2025-27520

    @transilienceai

    15 Apr 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  13. Actively exploited CVE : CVE-2025-27520

    @transilienceai

    15 Apr 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  14. A critical deserialization vulnerability (CVSS 9.8 – CVE-2025-27520) in BentoML (v1.3.8–1.4.2) reportedly allows attackers to execute remote code on AI servers without authorization. #CyberSecurity #Vulnerability https://t.co/0f4F2mNqQR

    @Cyber_O51NT

    12 Apr 2025

    59 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. 🚨 A critical flaw (CVE-2025-27520) in BentoML allows remote code execution on versions 1.3.4 and <1.4.3. Exploit is available, posing risks of system compromise and data theft. #BentoML #SecurityAlert #USA link: https://t.co/eqHjfMAeVE https://t.co/z3cp0NHiXd

    @TweetThreatNews

    8 Apr 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. [CVE-2025-27520: CRITICAL] ⚠️Attention: Cybersecurity alert! BentoML users, update to v1.4.3 asap to mitigate Remote Code Execution (RCE) vulnerability in 'https://t.co/ZpUHqmq7IC'. #CyberSecurity #BentoML #RCE#cybersecurity,#vulnerability https://t.co/o944OEUKws https://t.co/pYf

    @CveFindCom

    7 Apr 2025

    43 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes