CVE-2025-27520

CRITICAL LAB

BentoML >=1.3.4 <1.4.3 - Unauthenticated Remote Code Execution via Insecure Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-27520. PoCs published by Evillm, amalpvatayam67, c2an1, Takahiro Yokoyama, including Metasploit module exploits/linux/http/bentoml_rce_cve_2025_27520.

AI-analyzed exploit summary This repository contains a safe educational simulation of CVE-2025-27520, demonstrating a deserialization vulnerability via a Flask-based service and a Python scanner. The PoC creates a file-based evidence instead of executing arbitrary commands, ensuring safety.

Description

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3.

Exploits (3)

nomisec WORKING POC
by Evillm · poc
https://github.com/Evillm/CVE-2025-27520-PoC

This repository contains a safe educational simulation of CVE-2025-27520, demonstrating a deserialization vulnerability via a Flask-based service and a Python scanner. The PoC creates a file-based evidence instead of executing arbitrary commands, ensuring safety.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Reliable
Target: Custom Flask application (simulated)
No auth needed
Prerequisites: Docker · Python 3.11+ · Network access to the target service
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by amalpvatayam67 · poc
https://github.com/amalpvatayam67/day09-bentoml-deser-lab

This repository contains a working proof-of-concept for CVE-2025-27520, demonstrating an insecure deserialization vulnerability in a BentoML-style application. The exploit leverages Python's pickle module to achieve remote code execution (RCE) via a crafted base64-encoded payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: BentoML (version not specified)
No auth needed
Prerequisites: Docker environment · Network access to the vulnerable application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by c2an1, Takahiro Yokoyama · rubypocpython
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/bentoml_rce_cve_2025_27520.rb

This Metasploit module exploits an insecure deserialization vulnerability in BentoML v1.4.2, allowing unauthenticated RCE via a crafted pickle payload sent to a vulnerable API endpoint.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: BentoML v1.3.4 to v1.4.2
No auth needed
Prerequisites: Network access to the target server · Vulnerable BentoML version running
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.7576
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull bento-sim:latest
+1 more repos

Details

CWE
CWE-502
Status published
Products (2)
bentoml/bentoml 1.3.4 - 1.4.2
pypi/bentoml 1.3.4 - 1.4.3PyPI
Published Apr 04, 2025
Tracked Since Feb 18, 2026