CVE-2025-27520

CVE Database · CVE-2025-27520

CVE-2025-27520

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

43.67%

Published

Apr 4, 2025

Modified

Jun 27, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-502

Affected Products (1)

bentoml · bentomlvulnerable

References (3)

https://github.com/bentoml/BentoML/commit/b35f4f4fcc53a8c3fe8ed9c18a013fe0a728e194

Patch

https://github.com/bentoml/BentoML/security/advisories/GHSA-33xw-247w-6hmc

ExploitThird Party Advisory

https://github.com/bentoml/BentoML/security/advisories/GHSA-33xw-247w-6hmc

ExploitThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs