AI description
CVE-2025-27520 is a Remote Code Execution (RCE) vulnerability found in BentoML, a Python library used for building online serving systems optimized for AI applications and model inference. This vulnerability exists due to insecure deserialization in the `serde.py` file. The vulnerability allows unauthenticated users to execute arbitrary code on the server by sending malicious data payloads as HTTP requests. Specifically, the `deserialize_value()` function deserializes input data without proper validation, enabling attackers to inject malicious payloads that trigger the execution of arbitrary code when deserialized. The vulnerability affects BentoML versions 1.3.8 through 1.4.2 and has been fixed in version 1.4.3.
- Description
- BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-502
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
1
Actively exploited CVE : CVE-2025-27520
@transilienceai
26 Apr 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-27520
@transilienceai
26 Apr 2025
15 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
BentoML の深刻な脆弱性 CVE-2025-27520 が FIX:RCE の恐れと PoC の提供 https://t.co/9klxGd9hgE AI モデルのデプロイ基盤である BentoML に、CVSS 9.8 の深刻な RCE 脆弱性が発生しています。 すでに PoC も公開されていますので、ご利用のチームは、アップデートをお急ぎください。 #AI #ML
@iototsecnews
22 Apr 2025
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-27520
@transilienceai
20 Apr 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-27520
@transilienceai
19 Apr 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Metasploitが最新アップデートを発表。新オプション「PIPE_FETCH」でfetch payloadのコマンドサイズを大幅削減。BentoML(CVE-2025-27520)とLangflow(CVE-2025-3248)のRCEモジュール追加。各種モジュールの機能強化とバグ修正も実施。 https://t.co/URXHp3fibR
@01ra66it
19 Apr 2025
2463 Impressions
6 Retweets
48 Likes
9 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-27520
@transilienceai
18 Apr 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-27520
@transilienceai
18 Apr 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-27520
@transilienceai
17 Apr 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-27520
@transilienceai
16 Apr 2025
19 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-27520
@transilienceai
15 Apr 2025
23 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-27520
@transilienceai
15 Apr 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-27520
@transilienceai
15 Apr 2025
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
A critical deserialization vulnerability (CVSS 9.8 – CVE-2025-27520) in BentoML (v1.3.8–1.4.2) reportedly allows attackers to execute remote code on AI servers without authorization. #CyberSecurity #Vulnerability https://t.co/0f4F2mNqQR
@Cyber_O51NT
12 Apr 2025
59 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 A critical flaw (CVE-2025-27520) in BentoML allows remote code execution on versions 1.3.4 and <1.4.3. Exploit is available, posing risks of system compromise and data theft. #BentoML #SecurityAlert #USA link: https://t.co/eqHjfMAeVE https://t.co/z3cp0NHiXd
@TweetThreatNews
8 Apr 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-27520: CRITICAL] ⚠️Attention: Cybersecurity alert! BentoML users, update to v1.4.3 asap to mitigate Remote Code Execution (RCE) vulnerability in 'https://t.co/ZpUHqmq7IC'. #CyberSecurity #BentoML #RCE#cybersecurity,#vulnerability https://t.co/o944OEUKws https://t.co/pYf
@CveFindCom
7 Apr 2025
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes