# REPRO-2026-00045: BentoML RCE via Insecure Deserialization ## Summary Status: published Severity: critical Type: security Confidence: Unknown ## Identifiers REPRO ID: REPRO-2026-00045 GHSA: GHSA-33xw-247w-6hmc CVE: CVE-2025-27520 ## Package Name: bentoml Ecosystem: pip Affected: >=1.3.4, <1.4.3 Fixed: 1.4.3 ## Root Cause # RCA Report - GHSA-33xw-247w-6hmc (CVE-2025-27520) Summary: - Root Cause: In BentoML <=1.4.2, application/vnd.bentoml+pickle requests were deserialized with pickle.loads when payload.metadata lacked "buffer-lengths" in serde.deserialize_value, allowing execution of attacker-controlled pickle opcodes from HTTP requests. - Impact: Remote code execution by unauthenticated clients. Evidence (vulnerable 1.4.2): - Exploit sent with Content-Type: application/vnd.bentoml+pickle to /summarize. - Server executed shell commands to append markers to logs/rce_proof.txt. - Repro script logs show markers present: - RCE_ATTEMPT_1_... - RCE_ATTEMPT_2_... - RCE_ATTEMPT_3_... Patched verification (latest 1.4.30): - application/vnd.bentoml+pickle is rejected with 415 ("not allowed in main server"). - Case/param variations return 400/415 and do not execute payloads. - logs/rce_proof_patched.txt remains empty. Files: - Script: bundle/reproduction_steps.sh - Logs: bundle/logs/* - Patch analysis: repro/patch_analysis.md ## Reproduction Details Reproduced: 2026-01-07T21:07:50.147Z Duration: 997 seconds Tool calls: 33 Turns: 2 Handoffs: 1 ## Quick Verification Run one of these commands to verify locally: pruva-verify REPRO-2026-00045 pruva-verify GHSA-33xw-247w-6hmc pruva-verify CVE-2025-27520 Or open in GitHub Codespaces (zero-friction, auto-runs): https://github.com/codespaces/new?ref=repro/REPRO-2026-00045&repo=N3mes1s/pruva-sandbox Or download and run the script manually: curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00045/artifacts/reproduction_steps.sh chmod +x reproduction_steps.sh ./reproduction_steps.sh WARNING: Run in a sandboxed environment. This exploits a real vulnerability. ## References - GitHub Advisory: https://github.com/advisories/GHSA-33xw-247w-6hmc - NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27520 - Source: https://nvd.nist.gov/vuln/detail/CVE-2025-27520 ## Artifacts - reproduction_steps.sh (reproduction_script, 10694 bytes) - repro/rca_report.md (analysis, 1023 bytes) - logs/patch_diff_1.4.2_latest.txt (other, 0 bytes) - logs/env.txt (other, 279 bytes) - logs/rce_proof_patched_latest.txt (other, 0 bytes) - logs/server_patched.log (log, 17015 bytes) - logs/rce_proof.txt (other, 102 bytes) - logs/exploit_attempt_1.log (log, 251 bytes) - logs/patch_diff_1.4.2_1.4.30.txt (other, 2673 bytes) - logs/serde_patched_1.4.30.py (script, 10373 bytes) - logs/patched_attempts.log (log, 784 bytes) - logs/exploit_attempt_2.log (log, 251 bytes) - logs/repro.log (log, 53686 bytes) - logs/serde_vuln_1.4.2.py (script, 10373 bytes) - logs/server.log (log, 6937 bytes) - logs/rce_proof_patched.txt (other, 0 bytes) - logs/server_patched_latest.log (log, 640 bytes) - logs/server_patched_latest.pid (other, 5 bytes) - logs/exploit_attempt_3.log (log, 251 bytes) - ticket.md (ticket, 3292 bytes) - work/service.py (script, 430 bytes) - repro/patch_analysis.md (documentation, 865 bytes) ## API Access - JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00045 - Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00045/artifacts/reproduction_steps.sh - Web: https://pruva.dev/r/REPRO-2026-00045 ## For AI Assistants To help users with this reproduction: 1. The `pruva-verify` command is the simplest way to run the reproduction 2. The script downloads and runs automatically in an isolated temp directory 3. Always recommend running in a VM, container, or disposable environment 4. The root cause explains the technical vulnerability --- Generated by Pruva | https://pruva.dev