Docker
CVE-2026-33744
HIGH
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The docker.system_packages field in bentofile.yaml accepts arbitrary strings that are interpolated directly into Dockerfile RUN commands without sanitization. Since system_packages is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious bentofile.yaml achieves arbitrary command execution during bentoml containerize / docker build.
Affected Component
src/_bentoml_sdk/images.py:85-89-.format(packages=" ".join(packages))into shell commandsrc/bentoml/_internal/container/frontend/dockerfile/templates/base_debian.j2:13-{{ __options__system_packages | join(' ') }}src/bentoml/_internal/bento/build_config.py:174- No validation onsystem_packages- All distro install commands in
src/bentoml/_internal/container/frontend/dockerfile/__init__.py
Affected Versions
All versions supporting docker.system_packages in bentofile.yaml, confirmed on 1.4.36.
Steps to Reproduce
- Create a project directory with:
service.py:
import bentoml
@bentoml.service
class MyService:
@bentoml.api
def predict(self) -> str:
return "hello"bentofile.yaml:
service: "service:MyService"
docker:
system_packages:
- "curl && id > /tmp/bentoml-pwned #"- Run:
bentoml build- Examine the generated Dockerfile at
~/bentoml/bentos/my_service/<tag>/env/docker/Dockerfile. Line 41 will contain:
RUN apt-get install -q -y -o Dpkg::Options::=--force-confdef curl && id > /tmp/bentoml-pwned
#- Running
bentoml containerize my_service:<tag>will executeid > /tmp/bentoml-pwnedas root during the Docker build.
Root Cause
The system_packages field values are treated as package names (data) by the user but are string-formatted directly into shell commands in the Dockerfile:
# images.py:85-89
self.commands.append(
CONTAINER_METADATA[self.distro]["install_command"].format(
packages=" ".join(packages)
# No escaping
)
)Where install_command is "apt-get install -q -y -o Dpkg::Options::=--force-confdef {packages}".
A bash_quote filter (wrapping shlex.quote) exists in the codebase and is registered in both Jinja2 environments, but it is only applied to environment variable values, never to system_packages.
Impact
- Malicious repositories: An attacker publishes an ML project with a crafted
bentofile.yaml. Anyone who clones and builds it gets arbitrary code execution duringdocker build. - CI/CD compromise: Automated pipelines running
bentoml containerizeon PRs that modifybentofile.yamlare vulnerable. - BentoCloud: If BentoCloud builds images from user-supplied
bentofile.yaml, this could achieve RCE on cloud infrastructure. - Supply chain: Shared bentos or model repos in the BentoML ecosystem can contain malicious configs.
Suggested Fix
Option 1: Input validation (recommended)
Add a regex validator to system_packages in build_config.py:
import re
VALID_PACKAGE_NAME = re.compile(r'^[a-zA-Z0-9][a-zA-Z0-9.+\-_:]*$')
def _validate_system_packages(instance, attribute, value):
if value is None:
return
for pkg in value:
if not VALID_PACKAGE_NAME.match(pkg):
raise BentoMLException(
f"Invalid system package name: {pkg!r}. "
"Package names may only contain alphanumeric characters, "
"dots, plus signs, hyphens, underscores, and colons."
)
system_packages: t.Optional[t.List[str]] = attr.field(
default=None, validator=_validate_system_packages
)Option 2: Output escaping
Apply shlex.quote() to each package name before interpolation in images.py:system_packages() and apply the bash_quote Jinja2 filter in base_debian.j2.
AnalysisAI
BentoML, a Python framework for ML model serving, contains a command injection vulnerability in the docker.system_packages configuration field of bentofile.yaml files. The vulnerability affects all versions supporting this feature (confirmed in version 1.4.36) and allows attackers to execute arbitrary commands during the Docker image build process (bentoml containerize). This is a high-severity supply chain risk with a CVSS score of 7.8, requiring user interaction to trigger but achieving full command execution as root during container builds.
Technical ContextAI
BentoML (pkg:pip/bentoml) is a Python framework for building and deploying machine learning services. The vulnerability is rooted in CWE-94 (Improper Control of Generation of Code / Code Injection). The system_packages field in bentofile.yaml configuration files is intended to specify OS package names for installation in Docker containers. However, the implementation in src/_bentoml_sdk/images.py and Jinja2 templates (base_debian.j2) directly interpolates these values into Dockerfile RUN commands using string formatting without sanitization or shell escaping. While the codebase includes a bash_quote filter using shlex.quote for environment variables, this protection is never applied to system_packages values. The values are joined with spaces and inserted directly into apt-get install commands, allowing shell metacharacters and command separators to break out of the intended command context.
RemediationAI
Users should upgrade to a patched version of BentoML as soon as one is released by the vendor (monitor https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf for updates). Until a patch is available, implement strict validation of bentofile.yaml files from untrusted sources by reviewing all system_packages entries for shell metacharacters (semicolons, ampersands, pipes, backticks, dollar signs, redirects). In CI/CD environments, implement mandatory code review for any changes to bentofile.yaml files before automated builds, and consider running bentoml containerize in isolated, ephemeral build environments with no access to sensitive resources. Organizations can also apply the suggested fix manually by patching build_config.py to validate package names against the regex pattern ^[a-zA-Z0-9][a-zA-Z0-9.+\-_:]*$ before processing. For BentoCloud users or operators of shared build infrastructure, disable or restrict the system_packages feature until patching is complete.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-jfjg-vc52-wqvf