CVE-2025-32375

Name of the Vulnerable Software and Affected Versions BentoML versions 1.0.0a1 through 1.4.7

Description The issue is related to an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers initial access and information disclosure on the server. This can be achieved by exploiting the Payload-Container and Payload-Meta headers, allowing attackers to execute commands such as curl and potentially gain remote shell access to the server.

Recommendations To resolve the issue, update to version 1.4.8, as this version fixes the insecure deserialization vulnerability in BentoML's runner server. As a temporary workaround, consider restricting access to the vulnerable runner app.py and container.py modules until a patch is available. Avoid using the NdarrayContainer and PandasDataFrameContainer classes in the Payload-Container header, as they can be exploited to execute arbitrary code. Restrict the use of the pickle.loads() function, which is used to deserialize payload data, to prevent the execution of malicious code.