AI Threat Alert

CVE-2025-27520: BentoML: unauthenticated RCE via insecure deserialization

GHSA-33xw-247w-6hmc CRITICAL PoC AVAILABLE CISA: ATTEND
Published April 4, 2025
CISO Take

Any BentoML deployment running v1.3.4–1.4.2 is fully compromised by a single unauthenticated HTTP request. With EPSS at 0.87, active exploitation is highly probable. Patch to v1.4.3 immediately; if patching is blocked, firewall all BentoML endpoints until the upgrade is complete.

What is the risk?

CRITICAL. CVSS 9.8 with network-accessible, zero-auth RCE and no user interaction required. EPSS of 0.87 places this in the top percentile for likely active exploitation. BentoML serves ML models in production environments, making exposed instances high-value targets for model theft, credential harvesting, and lateral movement into broader ML infrastructure. Default port exposure and the prevalence of BentoML in cloud-hosted inference pipelines amplify the blast radius.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
BentoML pip No patch
8.7K OpenSSF 6.4 21 dependents Pushed 21d ago 55% patched ~14d to patch Full package profile →
BentoML pip >= 1.3.4, < 1.4.3 1.4.3
8.7K OpenSSF 6.4 21 dependents Pushed 21d ago 55% patched ~14d to patch Full package profile →

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
43.7%
chance of exploitation in 30 days
Higher than 99% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Weaponized Metasploit module (exploit/linux/http/bentoml_rce_cve_2025_27520)
EPSS exploit prediction: 44%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. IMMEDIATE

    Upgrade all BentoML instances to v1.4.3 (pip install --upgrade bentoml==1.4.3).

  2. If immediate patching is not possible, restrict network access to BentoML endpoints via firewall — whitelist only trusted IP ranges.

  3. Audit process logs for anomalous child process spawns from the BentoML process and unexpected outbound connections.

  4. Audit whether BentoML endpoints are inadvertently internet-exposed (default port 3000).

  5. Post-patch, rotate all credentials accessible from the BentoML host: API keys, DB passwords, cloud IAM tokens, model registry credentials.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Inference AML.T0010.001 AML.T0025 AML.T0049 AML.T0050 AML.T0072

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
6.1.2 - AI risk assessment
NIST AI RMF
MANAGE 2.4 - Risk response mechanisms for AI systems
OWASP LLM Top 10
LLM05:2025 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-27520?

Any BentoML deployment running v1.3.4–1.4.2 is fully compromised by a single unauthenticated HTTP request. With EPSS at 0.87, active exploitation is highly probable. Patch to v1.4.3 immediately; if patching is blocked, firewall all BentoML endpoints until the upgrade is complete.

Is CVE-2025-27520 actively exploited?

A weaponized Metasploit module (exploit/linux/http/bentoml_rce_cve_2025_27520) exists for CVE-2025-27520, meaning the exploit is point-and-click and the risk of opportunistic exploitation is high.

How to fix CVE-2025-27520?

1. IMMEDIATE: Upgrade all BentoML instances to v1.4.3 (pip install --upgrade bentoml==1.4.3). 2. If immediate patching is not possible, restrict network access to BentoML endpoints via firewall — whitelist only trusted IP ranges. 3. Audit process logs for anomalous child process spawns from the BentoML process and unexpected outbound connections. 4. Audit whether BentoML endpoints are inadvertently internet-exposed (default port 3000). 5. Post-patch, rotate all credentials accessible from the BentoML host: API keys, DB passwords, cloud IAM tokens, model registry credentials.

What systems are affected by CVE-2025-27520?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, MLOps platforms, AI microservices, containerized ML deployments.

What is the CVSS score for CVE-2025-27520?

CVE-2025-27520 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 43.67%.

What is the AI security impact?

Affected AI Architectures

model servinginference pipelinesMLOps platformsAI microservicescontainerized ML deployments

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 6.1.2
NIST AI RMF: MANAGE 2.4
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3.

Exploitation Scenario

An adversary scans for publicly exposed BentoML inference APIs (default port 3000). They craft a single HTTP POST request to any BentoML endpoint that triggers the unsafe deserialization path in serde.py, embedding a Python pickle payload that spawns a reverse shell. No authentication, no special headers, no prior knowledge of the model required. From the beachhead, they enumerate model artifacts, cloud credentials in environment variables, and connected data stores. Model weights and training datasets are exfiltrated before the compromise is detected — and in containerized deployments, they attempt container escape to reach the underlying host.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

  • [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
April 4, 2025
Last Modified
June 27, 2025
First Seen
April 4, 2025

Related Vulnerabilities

CRITICAL CVE-2025-54381 9.9

BentoML: unauthenticated SSRF via file upload URLs

Same package: bentoml
CRITICAL CVE-2025-32375 9.8

BentoML: RCE via insecure deserialization in runner

Same package: bentoml
CRITICAL CVE-2024-9070 9.8

BentoML: unauthenticated RCE via runner deserialization

Same package: bentoml
HIGH CVE-2026-35044 8.8

BentoML: malicious bento archive RCE via Jinja2 SSTI

Same package: bentoml
HIGH CVE-2026-44346 8.8

BentoML: Dockerfile injection enables build-time RCE

Same package: bentoml
Back to Threat Feed