GHSA-564p-rx2q-4c8v — MEDIUM (CVSS 6.1) AI Security Vulnerability

Q: Is GHSA-564p-rx2q-4c8v actively exploited?

No confirmed active exploitation of GHSA-564p-rx2q-4c8v has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-564p-rx2q-4c8v?

1. Patch: No official patch available as of CVE publication date — monitor bentoml releases at https://github.com/bentoml/BentoML/releases and apply the first version that addresses CWE-601. 2. Network isolation: Immediately restrict BentoML endpoints to internal networks or VPN; remove any public-facing exposure until patched. 3. WAF rule: Block or sanitize redirect/return_url/next parameters on BentoML endpoints at the WAF layer. 4. Detection: Audit BentoML access logs for redirect parameters pointing to external domains; alert on any outbound redirect from BentoML to non-corporate domains. 5. User awareness: Notify ML engineering and data science teams to verify any BentoML-originated URLs before following — especially login prompts.

Q: What systems are affected by GHSA-564p-rx2q-4c8v?

This vulnerability affects the following AI/ML architecture patterns: model serving, ml_ops platforms, inference API.

Q: What is the CVSS score for GHSA-564p-rx2q-4c8v?

GHSA-564p-rx2q-4c8v has a CVSS v3.1 base score of 6.1 (MEDIUM).

CISO Take

BentoML deployments on version 1.3.9 or earlier allow any unauthenticated attacker to craft a trusted-looking URL that silently redirects users to attacker-controlled sites — no credentials or special access required. If you cannot patch immediately, restrict BentoML endpoints to internal networks or VPN and block external access at the perimeter. The real threat is credential theft targeting data scientists and MLOps engineers whose credentials unlock model registries, training pipelines, and production AI infrastructure.

Risk Assessment

Effective risk is medium-to-high for organizations with externally exposed BentoML deployments. CVSS 6.1 understates practical exposure: exploit complexity is trivial (no auth, no prior access), the Changed scope means a successful phish cascades beyond BentoML itself, and ML engineers are high-value targets whose credentials unlock sensitive AI infrastructure. Organizations with internal-only BentoML deployments face meaningfully lower risk. No patch is currently available (patched: N/A), extending exposure window indefinitely.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
bentoml	pip	<= 1.3.9	No patch
8.6K OpenSSF 6.3 22 dependents Pushed 9d ago 50% patched ~14d to patch Full package profile →

Do you use bentoml? You're affected.

Severity & Risk

CVSS 3.1

6.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI Required

S Changed

C Low

I Low

A None

Recommended Action

5 steps

Patch: No official patch available as of CVE publication date — monitor bentoml releases at https://github.com/bentoml/BentoML/releases and apply the first version that addresses CWE-601.
Network isolation: Immediately restrict BentoML endpoints to internal networks or VPN; remove any public-facing exposure until patched.
WAF rule: Block or sanitize redirect/return_url/next parameters on BentoML endpoints at the WAF layer.
Detection: Audit BentoML access logs for redirect parameters pointing to external domains; alert on any outbound redirect from BentoML to non-corporate domains.
User awareness: Notify ML engineering and data science teams to verify any BentoML-originated URLs before following — especially login prompts.

Classification

Social Engineering Auth Bypass Framework Inference AML.T0010.001 - AI Software AML.T0011.003 - Malicious Link AML.T0049 - Exploit Public-Facing Application AML.T0052 - Phishing AML.T0073 - Impersonation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM03 - Supply Chain

Frequently Asked Questions

What is GHSA-564p-rx2q-4c8v?

BentoML deployments on version 1.3.9 or earlier allow any unauthenticated attacker to craft a trusted-looking URL that silently redirects users to attacker-controlled sites — no credentials or special access required. If you cannot patch immediately, restrict BentoML endpoints to internal networks or VPN and block external access at the perimeter. The real threat is credential theft targeting data scientists and MLOps engineers whose credentials unlock model registries, training pipelines, and production AI infrastructure.

Is GHSA-564p-rx2q-4c8v actively exploited?

No confirmed active exploitation of GHSA-564p-rx2q-4c8v has been reported, but organizations should still patch proactively.

How to fix GHSA-564p-rx2q-4c8v?

1. Patch: No official patch available as of CVE publication date — monitor bentoml releases at https://github.com/bentoml/BentoML/releases and apply the first version that addresses CWE-601. 2. Network isolation: Immediately restrict BentoML endpoints to internal networks or VPN; remove any public-facing exposure until patched. 3. WAF rule: Block or sanitize redirect/return_url/next parameters on BentoML endpoints at the WAF layer. 4. Detection: Audit BentoML access logs for redirect parameters pointing to external domains; alert on any outbound redirect from BentoML to non-corporate domains. 5. User awareness: Notify ML engineering and data science teams to verify any BentoML-originated URLs before following — especially login prompts.

What systems are affected by GHSA-564p-rx2q-4c8v?

This vulnerability affects the following AI/ML architecture patterns: model serving, ml_ops platforms, inference API.

What is the CVSS score for GHSA-564p-rx2q-4c8v?

GHSA-564p-rx2q-4c8v has a CVSS v3.1 base score of 6.1 (MEDIUM).

Technical Details

NVD Description

An open redirect vulnerability in bentoml/bentoml v1.3.9 allows a remote unauthenticated attacker to redirect users to arbitrary websites via a specially crafted URL. This can be exploited for phishing attacks, malware distribution, and credential theft.

Exploitation Scenario

Attacker identifies a publicly exposed BentoML deployment via Shodan or passive DNS recon targeting an organization's known ML infrastructure. They craft a URL such as https://models.company.com/redirect?next=https://company-bentoml-login.attacker.com that mimics an internal session timeout. The link is delivered via a targeted Slack or email message to ML engineers ('your model inference session expired, please re-authenticate'). The user trusts the company.com domain, clicks, arrives at a convincing credential harvesting page, and submits credentials. Attacker now has access to the model registry, training pipelines, and potentially cloud ML accounts — enabling model theft, backdoor injection into training pipelines, or lateral movement to production AI systems.