CVE-2025-27520

Published Apr 4, 2025

Last updated 21 days ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-27520 is a Remote Code Execution (RCE) vulnerability found in BentoML, a Python library used for building online serving systems optimized for AI applications and model inference. This vulnerability exists due to insecure deserialization in the `serde.py` file. The vulnerability allows unauthenticated users to execute arbitrary code on the server by sending malicious data payloads as HTTP requests. Specifically, the `deserialize_value()` function deserializes input data without proper validation, enabling attackers to inject malicious payloads that trigger the execution of arbitrary code when deserialized. The vulnerability affects BentoML versions 1.3.8 through 1.4.2 and has been fixed in version 1.4.3.

Description: BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3.
Source: security-advisories@github.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

security-advisories@github.com: CWE-502

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 1

Overview

AI description

Risk scores

CVSS 3.1

Weaknesses

Social media

References