What's the vulnerability?

A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version(v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server.

Root Cause Analysis

# RCA Report - GHSA-33xw-247w-6hmc (CVE-2025-27520)

Summary:
- Root Cause: In BentoML <=1.4.2, application/vnd.bentoml+pickle requests were deserialized with pickle.loads when payload.metadata lacked "buffer-lengths" in serde.deserialize_value, allowing execution of attacker-controlled pickle opcodes from HTTP requests.
- Impact: Remote code execution by unauthenticated clients.

Evidence (vulnerable 1.4.2):
- Exploit sent with Content-Type: application/vnd.bentoml+pickle to /summarize.
- Server executed shell commands to append markers to logs/rce_proof.txt.
- Repro script logs show markers present:
  - RCE_ATTEMPT_1_...
  - RCE_ATTEMPT_2_...
  - RCE_ATTEMPT_3_...

Patched verification (latest 1.4.30):
- application/vnd.bentoml+pickle is rejected with 415 ("not allowed in main server").
- Case/param variations return 400/415 and do not execute payloads.
- logs/rce_proof_patched.txt remains empty.

Files:
- Script: bundle/reproduction_steps.sh
- Logs: bundle/logs/*
- Patch analysis: repro/patch_analysis.md
One Command

Verify with pruva-verify

Run the Pruva CLI to automatically fetch and execute the reproduction script.

pruva-verify REPRO-2026-00045
or pruva-verify GHSA-33xw-247w-6hmc
or pruva-verify CVE-2025-27520
Install: curl -fsSL https://pruva.dev/install.sh | sh

Or Run Manually

1

Download the script

curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00045/artifacts/reproduction_steps.sh
2

Make executable

chmod +x reproduction_steps.sh
3

Run the script

./reproduction_steps.sh
Run in a VM, container, or disposable environment. This exploits a real vulnerability.

How Pruva Reproduced This

Watch the AI agent's step-by-step process.

Loading session...

Artifacts

No artifacts available