CVE-2026-27905

Name of the Vulnerable Software and Affected Versions BentoML versions prior to 1.4.36

Description BentoML, a Python library used for building online serving systems for AI applications, contains a flaw in the safe extract tarfile() function. This function inadequately validates symlink targets within tar files. Specifically, it verifies the symlink's own path but does not check the path to which the symlink points. An attacker can exploit this by crafting a malicious tar file containing a symlink that points to a location outside the intended extraction directory, followed by a regular file. When the tar file is extracted, writing through the symlink can result in arbitrary file write on the host filesystem. The vulnerable code resides in src/bentoml/ internal/utils/filesystem.py lines 58-96. The issue is present in all versions containing the safe extract tarfile() function. A proof of concept demonstrates the ability to overwrite files, potentially leading to remote code execution, especially in scenarios involving shared bentos or BentoCloud deployments.

Recommendations Versions prior to 1.4.36 should be updated to version 1.4.36 or later. As a mitigation, validate symlink targets within the safe extract tarfile() function to ensure they remain within the intended destination directory. Alternatively, consider using Python 3.12 or later and utilizing the tar.extractall(filter='data') method.