AI Threat Alert
BentoML deployments on version 1.3.9 or earlier allow any unauthenticated attacker to craft a trusted-looking URL that silently redirects users to attacker-controlled sites — no credentials or special access required. If you cannot patch immediately, restrict BentoML endpoints to internal networks or VPN and block external access at the perimeter. The real threat is credential theft targeting data scientists and MLOps engineers whose credentials unlock model registries, training pipelines, and production AI infrastructure.
What is the risk?
Effective risk is medium-to-high for organizations with externally exposed BentoML deployments. CVSS 6.1 understates practical exposure: exploit complexity is trivial (no auth, no prior access), the Changed scope means a successful phish cascades beyond BentoML itself, and ML engineers are high-value targets whose credentials unlock sensitive AI infrastructure. Organizations with internal-only BentoML deployments face meaningfully lower risk. No patch is currently available (patched: N/A), extending exposure window indefinitely.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| BentoML | pip | <= 1.3.9 | No patch |
Do you use BentoML? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch: No official patch available as of CVE publication date — monitor bentoml releases at https://github.com/bentoml/BentoML/releases and apply the first version that addresses CWE-601.
-
Network isolation: Immediately restrict BentoML endpoints to internal networks or VPN; remove any public-facing exposure until patched.
-
WAF rule: Block or sanitize redirect/return_url/next parameters on BentoML endpoints at the WAF layer.
-
Detection: Audit BentoML access logs for redirect parameters pointing to external domains; alert on any outbound redirect from BentoML to non-corporate domains.
-
User awareness: Notify ML engineering and data science teams to verify any BentoML-originated URLs before following — especially login prompts.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-564p-rx2q-4c8v?
BentoML deployments on version 1.3.9 or earlier allow any unauthenticated attacker to craft a trusted-looking URL that silently redirects users to attacker-controlled sites — no credentials or special access required. If you cannot patch immediately, restrict BentoML endpoints to internal networks or VPN and block external access at the perimeter. The real threat is credential theft targeting data scientists and MLOps engineers whose credentials unlock model registries, training pipelines, and production AI infrastructure.
Is GHSA-564p-rx2q-4c8v actively exploited?
No confirmed active exploitation of GHSA-564p-rx2q-4c8v has been reported, but organizations should still patch proactively.
How to fix GHSA-564p-rx2q-4c8v?
1. Patch: No official patch available as of CVE publication date — monitor bentoml releases at https://github.com/bentoml/BentoML/releases and apply the first version that addresses CWE-601. 2. Network isolation: Immediately restrict BentoML endpoints to internal networks or VPN; remove any public-facing exposure until patched. 3. WAF rule: Block or sanitize redirect/return_url/next parameters on BentoML endpoints at the WAF layer. 4. Detection: Audit BentoML access logs for redirect parameters pointing to external domains; alert on any outbound redirect from BentoML to non-corporate domains. 5. User awareness: Notify ML engineering and data science teams to verify any BentoML-originated URLs before following — especially login prompts.
What systems are affected by GHSA-564p-rx2q-4c8v?
This vulnerability affects the following AI/ML architecture patterns: model serving, ml_ops platforms, inference API.
What is the CVSS score for GHSA-564p-rx2q-4c8v?
GHSA-564p-rx2q-4c8v has a CVSS v3.1 base score of 6.1 (MEDIUM).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011.003 Malicious Link AML.T0049 Exploit Public-Facing Application AML.T0052 Phishing AML.T0073 Impersonation Compliance Controls Affected
What are the technical details?
Original Advisory
An open redirect vulnerability in bentoml/bentoml v1.3.9 allows a remote unauthenticated attacker to redirect users to arbitrary websites via a specially crafted URL. This can be exploited for phishing attacks, malware distribution, and credential theft.
Exploitation Scenario
Attacker identifies a publicly exposed BentoML deployment via Shodan or passive DNS recon targeting an organization's known ML infrastructure. They craft a URL such as https://models.company.com/redirect?next=https://company-bentoml-login.attacker.com that mimics an internal session timeout. The link is delivered via a targeted Slack or email message to ML engineers ('your model inference session expired, please re-authenticate'). The user trusts the company.com domain, clicks, arrives at a convincing credential harvesting page, and submits credentials. Attacker now has access to the model registry, training pipelines, and potentially cloud ML accounts — enabling model theft, backdoor injection into training pipelines, or lateral movement to production AI systems.
Weaknesses (CWE)
CWE-601 — URL Redirection to Untrusted Site ('Open Redirect'): The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2025-54381 9.9 BentoML: unauthenticated SSRF via file upload URLs
Same package: bentoml CVE-2025-32375 9.8 BentoML: RCE via insecure deserialization in runner
Same package: bentoml CVE-2025-27520 9.8 BentoML: unauthenticated RCE via insecure deserialization
Same package: bentoml CVE-2024-9070 9.8 BentoML: unauthenticated RCE via runner deserialization
Same package: bentoml CVE-2026-35044 8.8 BentoML: malicious bento archive RCE via Jinja2 SSTI
Same package: bentoml