CVE-2024-9070

Name of the Vulnerable Software and Affected Versions bentoml/bentoml versions prior to 1.3.4.post1

Description A deserialization issue exists in the BentoML runner server. By configuring specific parameters, an attacker can execute unauthorized arbitrary code on the server, causing severe harm. The issue is triggered when the args-number parameter is greater than 1, leading to automatic deserialization and arbitrary code execution.

Recommendations For versions prior to 1.3.4.post1, update to version 1.3.4.post1 or later to resolve the issue. As a temporary workaround, consider restricting the args-number parameter to a value of 1 or less to prevent automatic deserialization and arbitrary code execution.