CVE-2025-27520

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-27520

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27520.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-27520

Aliases

GHSA-33xw-247w-6hmc

Published

2025-04-04T14:28:51.574Z

Modified

2025-12-05T08:53:53.566014Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization

Details

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3.

Database specific

{
    "cwe_ids": [
        "CWE-502"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27520.json"
}

References

Affected packages

Git / github.com/bentoml/bentoml

Affected ranges

Type: GIT
Repo: https://github.com/bentoml/bentoml
Events: Introduced

9cd16c7bf00062fa789c470327456d8876b380ea

Fixed

b92ba34fac955bd5aff7bec015513d9d636d20ad

Affected versions

v1.*

v1.3.10

v1.3.11

v1.3.12

v1.3.13

v1.3.14

v1.3.15

v1.3.16

v1.3.17

v1.3.18

v1.3.19

v1.3.20

v1.3.21

v1.3.22

v1.3.4

v1.3.4post1

v1.3.5

v1.3.6

v1.3.7

v1.3.8

v1.3.9

v1.4.0

v1.4.0a1

v1.4.0a2

v1.4.1

v1.4.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27520.json"