CRITICAL🇵🇱 Wersja polska

CVE-2024-2912

CVSS 10.0v3.1pub. 2024-04-16upd. 2026-04-15

An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request. By exploiting this vulnerability, attackers can execute arbitrary commands on the server hosting the BentoML application. The vulnerability is triggered when a serialized object, crafted to execute OS commands upon deserialization, is sent to any valid BentoML endpoint. This issue poses a significant security risk, enabling attackers to compromise the server and potentially gain unauthorized access or control.

🤖 AI Analysis
How it works

The vulnerability is triggered by sending a POST request containing a maliciously crafted serialized object to any valid BentoML endpoint. During the deserialization process, the framework processes the submitted object without proper validation, resulting in execution of embedded system commands (OS commands). This mechanism corresponds to CWE-1188 classification (insecure default initialization), where inappropriate default deserialization settings lead to a critical vulnerability. The lack of authentication requirement and absence of user interaction makes the attack particularly easy to perform.

Impact

An attacker can execute arbitrary commands on the server, leading to complete takeover of the host, data breach, installation of malware, or unauthorized access to infrastructure resources.

Mitigation & patch

Apply patches available from the vendor according to the references — the fix was introduced in commit fd70379733c57c6368cc022ac1f841b7b426db7b in the BentoML GitHub repository. Immediate update to a version containing this patch is recommended, and exposure of BentoML endpoints should be restricted to trusted networks only.

Who is affected

BentoML framework — versions indicated in vendor references (see fix commit: fd70379733c57c6368cc022ac1f841b7b426db7b)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References