Human
Machine
REPRO-2026-00045 CRITICAL RCE
Verified
BentoML RCE via Insecure Deserialization
bentoml (pip) Jan 7, 2026
What's the vulnerability?
A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version(v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server.
Root Cause Analysis
One Command
Verify with pruva-verify
Run the Pruva CLI to automatically fetch and execute the reproduction script.
pruva-verify REPRO-2026-00045 or
pruva-verify GHSA-33xw-247w-6hmc or
pruva-verify CVE-2025-27520 Install:
curl -fsSL https://pruva.dev/install.sh | sh Or Run Manually
1
Download the script
curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00045/artifacts/reproduction_steps.sh 2
Make executable
chmod +x reproduction_steps.sh 3
Run the script
./reproduction_steps.sh Run in a VM, container, or disposable environment. This exploits a real vulnerability.
How Pruva Reproduced This
Watch the AI agent's step-by-step process.
Loading session...
Artifacts
reproduction_steps.sh10.4 KBrepro/rca_report.md1.0 KBlogs/patch_diff_1.4.2_latest.txt0.0 KBlogs/env.txt0.3 KBlogs/rce_proof_patched_latest.txt0.0 KBlogs/server_patched.log16.6 KBlogs/rce_proof.txt0.1 KBlogs/exploit_attempt_1.log0.2 KBlogs/patch_diff_1.4.2_1.4.30.txt2.6 KBlogs/serde_patched_1.4.30.py10.1 KBlogs/patched_attempts.log0.8 KBlogs/exploit_attempt_2.log0.2 KBlogs/repro.log52.4 KBlogs/serde_vuln_1.4.2.py10.1 KBlogs/server.log6.8 KBlogs/rce_proof_patched.txt0.0 KBlogs/server_patched_latest.log0.6 KBlogs/server_patched_latest.pid0.0 KBlogs/exploit_attempt_3.log0.2 KBticket.md3.2 KBwork/service.py0.4 KBrepro/patch_analysis.md0.8 KB