Skip to content
Verified reproduction

CVE-2025-27520: BentoML RCE via Insecure Deserialization

CVE-2025-27520 is verified against bentoml · pip affected versions: >=1.3.4, <1.4.3 fixed version: 1.4.3 vulnerability class: RCE This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00045.

REPRO-2026-00045 bentoml · pip RCE Jan 7, 2026 CVE entry .txt
Severity CRITICAL
Confidence HIGH
Reproduced in 16m 37s
Tool calls 33
Affected >=1.3.4, <1.4.3
Fixed in 1.4.3
$ pruva-verify REPRO-2026-00045
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00045/artifacts/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version(v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server.

03 · Root cause
# RCA Report - GHSA-33xw-247w-6hmc (CVE-2025-27520)

Summary:
- Root Cause: In BentoML <=1.4.2, application/vnd.bentoml+pickle requests were deserialized with pickle.loads when payload.metadata lacked "buffer-lengths" in serde.deserialize_value, allowing execution of attacker-controlled pickle opcodes from HTTP requests.
- Impact: Remote code execution by unauthenticated clients.

Evidence (vulnerable 1.4.2):
- Exploit sent with Content-Type: application/vnd.bentoml+pickle to /summarize.
- Server executed shell commands to append markers to logs/rce_proof.txt.
- Repro script logs show markers present:
  - RCE_ATTEMPT_1_...
  - RCE_ATTEMPT_2_...
  - RCE_ATTEMPT_3_...

Patched verification (latest 1.4.30):
- application/vnd.bentoml+pickle is rejected with 415 ("not allowed in main server").
- Case/param variations return 400/415 and do not execute payloads.
- logs/rce_proof_patched.txt remains empty.

Files:
- Script: bundle/reproduction_steps.sh
- Logs: bundle/logs/*
- Patch analysis: repro/patch_analysis.md
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

No artifacts available