Skip to main content

Python CVE-2025-27520

CRITICAL
Deserialization of Untrusted Data (CWE-502)
2025-04-04 security-advisories@github.com
Python RCE Deserialization Bentoml
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 28, 2026 - 18:35 vuln.today
Patch released
Mar 28, 2026 - 18:35 nvd
Patch available
PoC Detected
Jun 27, 2025 - 12:48 vuln.today
Public exploit code
CVE Published
Apr 04, 2025 - 15:15 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3.

AnalysisAI

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deserialization. The serving endpoint accepts pickled Python objects that are deserialized without validation, allowing attackers to execute arbitrary code on any BentoML inference server.

Technical ContextAI

BentoML's HTTP serving endpoint accepts serialized Python objects for model inference. The framework uses Python's pickle module to deserialize incoming request data without implementing any security controls or class allowlisting. An attacker can craft a malicious pickled object containing a __reduce__ method that executes arbitrary Python code during deserialization.

RemediationAI

Update to BentoML 1.4.3 or later. Never expose BentoML serving endpoints directly to the internet without authentication. Implement network-level access controls. Consider using safer serialization formats (JSON, Protocol Buffers) instead of pickle for inference requests.

More from same product – last 7 days

CVE-2026-48039 CRITICAL POC
9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac
CVE-2026-20251 HIGH
8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil
CVE-2026-53753 CRITICAL
9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-48519 CRITICAL
9.6 Jun 16

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co
CVE-2026-45833 CRITICAL
9.4 Jun 12

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U

Share

CVE-2025-27520 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy