{"repro_id":"REPRO-2026-00045","version":4,"title":"BentoML RCE via Insecure Deserialization","repro_type":"security","status":"published","severity":"critical","cvss_score":9.8,"description":"A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version(v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server.","root_cause":"# RCA Report - GHSA-33xw-247w-6hmc (CVE-2025-27520)\n\nSummary:\n- Root Cause: In BentoML <=1.4.2, application/vnd.bentoml+pickle requests were deserialized with pickle.loads when payload.metadata lacked \"buffer-lengths\" in serde.deserialize_value, allowing execution of attacker-controlled pickle opcodes from HTTP requests.\n- Impact: Remote code execution by unauthenticated clients.\n\nEvidence (vulnerable 1.4.2):\n- Exploit sent with Content-Type: application/vnd.bentoml+pickle to /summarize.\n- Server executed shell commands to append markers to logs/rce_proof.txt.\n- Repro script logs show markers present:\n  - RCE_ATTEMPT_1_...\n  - RCE_ATTEMPT_2_...\n  - RCE_ATTEMPT_3_...\n\nPatched verification (latest 1.4.30):\n- application/vnd.bentoml+pickle is rejected with 415 (\"not allowed in main server\").\n- Case/param variations return 400/415 and do not execute payloads.\n- logs/rce_proof_patched.txt remains empty.\n\nFiles:\n- Script: bundle/reproduction_steps.sh\n- Logs: bundle/logs/*\n- Patch analysis: repro/patch_analysis.md\n","ghsa_id":"GHSA-33xw-247w-6hmc","cve_id":"CVE-2025-27520","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27520","package":{"name":"bentoml","ecosystem":"pip","affected_versions":">=1.3.4, <1.4.3","fixed_version":"1.4.3"},"reproduced_at":"2026-01-07T21:07:50.147337+00:00","duration_secs":997.43474984169,"tool_calls":33,"turns":2,"handoffs":1,"quality":{"idempotent_verified":false,"community_verifications":0},"published_at":"2026-01-07T21:08:01.767455+00:00","retracted":false,"artifacts":[{"path":"reproduction_steps.sh","filename":"reproduction_steps.sh","size":10694,"category":"reproduction_script"},{"path":"repro/rca_report.md","filename":"rca_report.md","size":1023,"category":"analysis"},{"path":"logs/patch_diff_1.4.2_latest.txt","filename":"patch_diff_1.4.2_latest.txt","size":0,"category":"other"},{"path":"logs/env.txt","filename":"env.txt","size":279,"category":"other"},{"path":"logs/rce_proof_patched_latest.txt","filename":"rce_proof_patched_latest.txt","size":0,"category":"other"},{"path":"logs/server_patched.log","filename":"server_patched.log","size":17015,"category":"log"},{"path":"logs/rce_proof.txt","filename":"rce_proof.txt","size":102,"category":"other"},{"path":"logs/exploit_attempt_1.log","filename":"exploit_attempt_1.log","size":251,"category":"log"},{"path":"logs/patch_diff_1.4.2_1.4.30.txt","filename":"patch_diff_1.4.2_1.4.30.txt","size":2673,"category":"other"},{"path":"logs/serde_patched_1.4.30.py","filename":"serde_patched_1.4.30.py","size":10373,"category":"script"},{"path":"logs/patched_attempts.log","filename":"patched_attempts.log","size":784,"category":"log"},{"path":"logs/exploit_attempt_2.log","filename":"exploit_attempt_2.log","size":251,"category":"log"},{"path":"logs/repro.log","filename":"repro.log","size":53686,"category":"log"},{"path":"logs/serde_vuln_1.4.2.py","filename":"serde_vuln_1.4.2.py","size":10373,"category":"script"},{"path":"logs/server.log","filename":"server.log","size":6937,"category":"log"},{"path":"logs/rce_proof_patched.txt","filename":"rce_proof_patched.txt","size":0,"category":"other"},{"path":"logs/server_patched_latest.log","filename":"server_patched_latest.log","size":640,"category":"log"},{"path":"logs/server_patched_latest.pid","filename":"server_patched_latest.pid","size":5,"category":"other"},{"path":"logs/exploit_attempt_3.log","filename":"exploit_attempt_3.log","size":251,"category":"log"},{"path":"ticket.md","filename":"ticket.md","size":3292,"category":"ticket"},{"path":"work/service.py","filename":"service.py","size":430,"category":"script"},{"path":"repro/patch_analysis.md","filename":"patch_analysis.md","size":865,"category":"documentation"}]}