An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request. By exploiting this vulnerability, attackers can execute arbitrary commands on the server hosting the BentoML application. The vulnerability is triggered when a serialized object, crafted to execute OS commands upon deserialization, is sent to any valid BentoML endpoint. This issue poses a significant security risk, enabling attackers to compromise the server and potentially gain unauthorized access or control.
The vulnerability is triggered by sending a POST request containing a maliciously crafted serialized object to any valid BentoML endpoint. During the deserialization process, the framework processes the submitted object without proper validation, resulting in execution of embedded system commands (OS commands). This mechanism corresponds to CWE-1188 classification (insecure default initialization), where inappropriate default deserialization settings lead to a critical vulnerability. The lack of authentication requirement and absence of user interaction makes the attack particularly easy to perform.
An attacker can execute arbitrary commands on the server, leading to complete takeover of the host, data breach, installation of malware, or unauthorized access to infrastructure resources.
Apply patches available from the vendor according to the references — the fix was introduced in commit fd70379733c57c6368cc022ac1f841b7b426db7b in the BentoML GitHub repository. Immediate update to a version containing this patch is recommended, and exposure of BentoML endpoints should be restricted to trusted networks only.
BentoML framework — versions indicated in vendor references (see fix commit: fd70379733c57c6368cc022ac1f841b7b426db7b)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H