CVE-2024-9070
CRITICALBentoML <= 1.3.4.post1 - Remote Code Execution via Runner Server Deserialization
Title source: llmDescription
A deserialization vulnerability exists in BentoML's runner server in bentoml/bentoml versions <=1.3.4.post1. By setting specific parameters, an attacker can execute unauthorized arbitrary code on the server, causing severe harm. The vulnerability is triggered when the args-number parameter is greater than 1, leading to automatic deserialization and arbitrary code execution.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/7be6fc22-be18-44ee-a001-ac7158d5e1a5
Scores
CVSS v3
9.8
EPSS
0.0041
EPSS Percentile
61.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (2)
bentoml/bentoml/bentoml
unspecified - latest
pypi/bentoml
0PyPI
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026