What is the CVSS score of CVE-2025-27520?

CVE-2025-27520 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 87.3%.

Which versions of Python are affected by CVE-2025-27520?

Organizations using the latest face critical risk from CVE-2025-27520, a insecure deserialization vulnerability rated CVSS 9.8.. A patch is available.

Is there a public PoC exploit available for CVE-2025-27520?

Yes, a public proof-of-concept exploit is available for CVE-2025-27520. Prioritise patching immediately. EPSS: 87.3%.

How to fix or mitigate CVE-2025-27520?

Within 24 hours: Identify all affected systems running the latest and apply vendor patches immediately. Restrict deserialization to trusted data sources and implement integrity checks.

Python CVE-2025-27520

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-04-04 security-advisories@github.com

RCE Python Deserialization Bentoml

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:35 vuln.today

Patch released

Mar 28, 2026 - 18:35 nvd

Patch available

PoC Detected

Jun 27, 2025 - 12:48 vuln.today

Public exploit code

CVE Published

Apr 04, 2025 - 15:15 nvd

CRITICAL 9.8

DescriptionNVD

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3.

AnalysisAI

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deserialization. The serving endpoint accepts pickled Python objects that are deserialized without validation, allowing attackers to execute arbitrary code on any BentoML inference server.

Technical ContextAI

BentoML's HTTP serving endpoint accepts serialized Python objects for model inference. The framework uses Python's pickle module to deserialize incoming request data without implementing any security controls or class allowlisting. An attacker can craft a malicious pickled object containing a __reduce__ method that executes arbitrary Python code during deserialization.

RemediationAI

Update to BentoML 1.4.3 or later. Never expose BentoML serving endpoints directly to the internet without authentication. Implement network-level access controls. Consider using safer serialization formats (JSON, Protocol Buffers) instead of pickle for inference requests.

CVE-2025-27520 vulnerability details – vuln.today

Back

Python CVE-2025-27520

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code