CVE-2025-27520: BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization

April 4, 2025

A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version(v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server.

References

github.com/advisories/GHSA-33xw-247w-6hmc
github.com/bentoml/BentoML
github.com/bentoml/BentoML/commit/b35f4f4fcc53a8c3fe8ed9c18a013fe0a728e194
github.com/bentoml/BentoML/security/advisories/GHSA-33xw-247w-6hmc
nvd.nist.gov/vuln/detail/CVE-2025-27520

Code Behaviors & Features

Detect and mitigate CVE-2025-27520 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →