Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/44913?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/44913?format=api", "purl": "pkg:pypi/bentoml@1.3.9", "type": "pypi", "namespace": "", "name": "bentoml", "version": "1.3.9", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.4.39", "latest_non_vulnerable_version": "1.4.39", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57071?format=api", "vulnerability_id": "VCID-3ee4-zba6-gkc1", "summary": "BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization\nA Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version(v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27520", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.75759", "scoring_system": "epss", "scoring_elements": "0.98926", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.75759", "scoring_system": "epss", "scoring_elements": "0.98927", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27520" }, { "reference_url": "https://github.com/bentoml/BentoML", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML" }, { "reference_url": "https://github.com/bentoml/BentoML/commit/b35f4f4fcc53a8c3fe8ed9c18a013fe0a728e194", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-04T14:51:28Z/" } ], "url": "https://github.com/bentoml/BentoML/commit/b35f4f4fcc53a8c3fe8ed9c18a013fe0a728e194" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27520", "reference_id": "CVE-2025-27520", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27520" }, { "reference_url": "https://github.com/advisories/GHSA-33xw-247w-6hmc", "reference_id": "GHSA-33xw-247w-6hmc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-33xw-247w-6hmc" }, { "reference_url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-33xw-247w-6hmc", "reference_id": "GHSA-33xw-247w-6hmc", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-04T14:51:28Z/" } ], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-33xw-247w-6hmc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44932?format=api", "purl": "pkg:pypi/bentoml@1.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4bcc-ergh-83e6" }, { "vulnerability": "VCID-4wp2-p85j-s7dr" }, { "vulnerability": "VCID-5mjt-8ze7-h7d9" }, { "vulnerability": "VCID-8v7x-jmp1-f7dv" }, { "vulnerability": "VCID-bv3z-1yux-kka6" }, { "vulnerability": "VCID-nqwe-qcu8-jkan" }, { "vulnerability": "VCID-rgvz-28ah-d7a8" }, { "vulnerability": "VCID-twd8-ejvs-6ffv" }, { "vulnerability": "VCID-ujzb-bk9k-7yf2" }, { "vulnerability": "VCID-wzre-vn34-qqak" }, { "vulnerability": "VCID-z6sb-5n7n-1qgz" }, { "vulnerability": "VCID-zxca-jerw-6ycm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/bentoml@1.4.3" } ], "aliases": [ "CVE-2025-27520", "GHSA-33xw-247w-6hmc" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3ee4-zba6-gkc1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37043?format=api", "vulnerability_id": "VCID-4bcc-ergh-83e6", "summary": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.8, there was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. This vulnerability is fixed in 1.4.8.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32375", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.65238", "scoring_system": "epss", "scoring_elements": "0.98502", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.65238", "scoring_system": "epss", "scoring_elements": "0.98501", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32375" }, { "reference_url": "https://github.com/bentoml/BentoML", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML" }, { "reference_url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-7v4r-c989-xh26", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-09T15:40:47Z/" } ], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-7v4r-c989-xh26" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/bentoml/PYSEC-2025-32.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/bentoml/PYSEC-2025-32.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32375", "reference_id": "CVE-2025-32375", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32375" }, { "reference_url": "https://github.com/advisories/GHSA-7v4r-c989-xh26", "reference_id": "GHSA-7v4r-c989-xh26", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7v4r-c989-xh26" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44937?format=api", "purl": "pkg:pypi/bentoml@1.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4wp2-p85j-s7dr" }, { "vulnerability": "VCID-5mjt-8ze7-h7d9" }, { "vulnerability": "VCID-8v7x-jmp1-f7dv" }, { "vulnerability": "VCID-bv3z-1yux-kka6" }, { "vulnerability": "VCID-rgvz-28ah-d7a8" }, { "vulnerability": "VCID-twd8-ejvs-6ffv" }, { "vulnerability": "VCID-ujzb-bk9k-7yf2" }, { "vulnerability": "VCID-z6sb-5n7n-1qgz" }, { "vulnerability": "VCID-zxca-jerw-6ycm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/bentoml@1.4.8" } ], "aliases": [ "CVE-2025-32375", "GHSA-7v4r-c989-xh26", "PYSEC-2025-32" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4bcc-ergh-83e6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49839?format=api", "vulnerability_id": "VCID-4wp2-p85j-s7dr", "summary": "BentoML has a Path Traversal via Bentofile Configuration\nBentoML's `bentofile.yaml` configuration allows path traversal attacks through multiple file path fields (`description`, `docker.setup_script`, `docker.dockerfile_template`, `conda.environment_yml`). An attacker can craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files from the filesystem into the bento archive. This enables supply chain attacks where sensitive files (SSH keys, credentials, environment variables) are silently embedded in bentos and exposed when pushed to registries or deployed.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24123", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03428", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03443", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.0343", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24123" }, { "reference_url": "https://github.com/bentoml/BentoML", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML" }, { "reference_url": "https://github.com/bentoml/BentoML/commit/84d08cfeb40c5f2ce71b3d3444bbaa0fb16b5ca4", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:36:54Z/" } ], "url": "https://github.com/bentoml/BentoML/commit/84d08cfeb40c5f2ce71b3d3444bbaa0fb16b5ca4" }, { "reference_url": "https://github.com/bentoml/BentoML/releases/tag/v1.4.34", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:36:54Z/" } ], "url": "https://github.com/bentoml/BentoML/releases/tag/v1.4.34" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24123", "reference_id": "CVE-2026-24123", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24123" }, { "reference_url": "https://github.com/advisories/GHSA-6r62-w2q3-48hf", "reference_id": "GHSA-6r62-w2q3-48hf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6r62-w2q3-48hf" }, { "reference_url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-6r62-w2q3-48hf", "reference_id": "GHSA-6r62-w2q3-48hf", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:36:54Z/" } ], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-6r62-w2q3-48hf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49076?format=api", "purl": "pkg:pypi/bentoml@1.4.34", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5mjt-8ze7-h7d9" }, { "vulnerability": "VCID-bv3z-1yux-kka6" }, { "vulnerability": "VCID-rgvz-28ah-d7a8" }, { "vulnerability": "VCID-twd8-ejvs-6ffv" }, { "vulnerability": "VCID-ujzb-bk9k-7yf2" }, { "vulnerability": "VCID-z6sb-5n7n-1qgz" }, { "vulnerability": "VCID-zxca-jerw-6ycm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/bentoml@1.4.34" } ], "aliases": [ "CVE-2026-24123", "GHSA-6r62-w2q3-48hf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4wp2-p85j-s7dr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51271?format=api", "vulnerability_id": "VCID-5mjt-8ze7-h7d9", "summary": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported bento, those RUN directives execute on the host during docker build. This vulnerability is fixed in 1.4.39.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44346", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14719", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14685", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14726", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44346" }, { "reference_url": "https://github.com/bentoml/BentoML", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML" }, { "reference_url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-78f9-r8mh-4xm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-78f9-r8mh-4xm2" }, { "reference_url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-w2pm-x38x-jp44", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-28T15:09:12Z/" } ], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-w2pm-x38x-jp44" }, { "reference_url": "https://github.com/advisories/GHSA-w2pm-x38x-jp44", "reference_id": "GHSA-w2pm-x38x-jp44", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w2pm-x38x-jp44" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/75163?format=api", "purl": "pkg:pypi/bentoml@1.4.39", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/bentoml@1.4.39" } ], "aliases": [ "CVE-2026-44346", "GHSA-w2pm-x38x-jp44", "PYSEC-2026-190" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5mjt-8ze7-h7d9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37262?format=api", "vulnerability_id": "VCID-bv3z-1yux-kka6", "summary": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35044", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06766", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06758", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.0677", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35044" }, { "reference_url": "https://github.com/bentoml/BentoML", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML" }, { "reference_url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-06T18:49:50Z/" } ], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35044", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35044" }, { "reference_url": "https://github.com/advisories/GHSA-v959-cwq9-7hr6", "reference_id": "GHSA-v959-cwq9-7hr6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v959-cwq9-7hr6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49121?format=api", "purl": "pkg:pypi/bentoml@1.4.38", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5mjt-8ze7-h7d9" }, { "vulnerability": "VCID-rgvz-28ah-d7a8" }, { "vulnerability": "VCID-ujzb-bk9k-7yf2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/bentoml@1.4.38" } ], "aliases": [ "CVE-2026-35044", "GHSA-v959-cwq9-7hr6", "PYSEC-2026-159" ], "risk_score": 4.3, "exploitability": "0.5", "weighted_severity": "8.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bv3z-1yux-kka6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56842?format=api", "vulnerability_id": "VCID-ek5w-sqgd-xkbg", "summary": "BentoML Open Redirect vulnerability\nAn open redirect vulnerability in bentoml/bentoml v1.3.9 allows a remote unauthenticated attacker to redirect users to arbitrary websites via a specially crafted URL. This can be exploited for phishing attacks, malware distribution, and credential theft.", "references": [ { "reference_url": "https://github.com/bentoml/BentoML", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML" }, { "reference_url": "https://huntr.com/bounties/2a284ff6-cc6c-4a10-b72e-1bb31c842bca", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.com/bounties/2a284ff6-cc6c-4a10-b72e-1bb31c842bca" }, { "reference_url": "https://huntr.com/bounties/35aaea93-6895-4f03-9c1b-cd992665aa60", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.com/bounties/35aaea93-6895-4f03-9c1b-cd992665aa60" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12760", "reference_id": "CVE-2024-12760", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12760" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4940", "reference_id": "CVE-2024-4940", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4940" }, { "reference_url": "https://github.com/advisories/GHSA-564p-rx2q-4c8v", "reference_id": "GHSA-564p-rx2q-4c8v", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-564p-rx2q-4c8v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44914?format=api", "purl": "pkg:pypi/bentoml@1.3.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3ee4-zba6-gkc1" }, { "vulnerability": "VCID-4bcc-ergh-83e6" }, { "vulnerability": "VCID-4wp2-p85j-s7dr" }, { "vulnerability": "VCID-5mjt-8ze7-h7d9" }, { "vulnerability": "VCID-bv3z-1yux-kka6" }, { "vulnerability": "VCID-nqwe-qcu8-jkan" }, { "vulnerability": "VCID-rgvz-28ah-d7a8" }, { "vulnerability": "VCID-twd8-ejvs-6ffv" }, { "vulnerability": "VCID-ujzb-bk9k-7yf2" }, { "vulnerability": "VCID-wzre-vn34-qqak" }, { "vulnerability": "VCID-z6sb-5n7n-1qgz" }, { "vulnerability": "VCID-zxca-jerw-6ycm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/bentoml@1.3.10" } ], "aliases": [ "CVE-2024-12760", "GHSA-564p-rx2q-4c8v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ek5w-sqgd-xkbg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56851?format=api", "vulnerability_id": "VCID-h88c-7wrv-fyg2", "summary": "BentoML vulnerable to Uncontrolled Resource Consumption\nIn bentoml/bentoml version 1.3.9, the `/login` endpoint of the newly integrated Gradio app is vulnerable to a Denial of Service (DoS) attack. This vulnerability can be exploited by appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request. The server continuously processes each character, leading to excessive resource consumption and rendering the service unavailable. The issue is unauthenticated and does not require any user interaction.", "references": [ { "reference_url": "https://github.com/bentoml/BentoML", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML" }, { "reference_url": "https://huntr.com/bounties/7b5932bb-58d1-4e71-b85c-43dc40522ff2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.com/bounties/7b5932bb-58d1-4e71-b85c-43dc40522ff2" }, { "reference_url": "https://huntr.com/bounties/e467ec92-0ad1-4461-8468-1beabf701b9f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.com/bounties/e467ec92-0ad1-4461-8468-1beabf701b9f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12759", "reference_id": "CVE-2024-12759", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12759" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8966", "reference_id": "CVE-2024-8966", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8966" }, { "reference_url": "https://github.com/advisories/GHSA-hh3j-9m59-p8vc", "reference_id": "GHSA-hh3j-9m59-p8vc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hh3j-9m59-p8vc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44914?format=api", "purl": "pkg:pypi/bentoml@1.3.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3ee4-zba6-gkc1" }, { "vulnerability": "VCID-4bcc-ergh-83e6" }, { "vulnerability": "VCID-4wp2-p85j-s7dr" }, { "vulnerability": "VCID-5mjt-8ze7-h7d9" }, { "vulnerability": "VCID-bv3z-1yux-kka6" }, { "vulnerability": "VCID-nqwe-qcu8-jkan" }, { "vulnerability": "VCID-rgvz-28ah-d7a8" }, { "vulnerability": "VCID-twd8-ejvs-6ffv" }, { "vulnerability": "VCID-ujzb-bk9k-7yf2" }, { "vulnerability": "VCID-wzre-vn34-qqak" }, { "vulnerability": "VCID-z6sb-5n7n-1qgz" }, { "vulnerability": "VCID-zxca-jerw-6ycm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/bentoml@1.3.10" } ], "aliases": [ "CVE-2024-12759", "GHSA-hh3j-9m59-p8vc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h88c-7wrv-fyg2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56925?format=api", "vulnerability_id": "VCID-nqwe-qcu8-jkan", "summary": "BentoML deserialization vulnerability\nA deserialization vulnerability exists in BentoML's runner server in bentoml/bentoml versions <=1.3.4.post1. By setting specific parameters, an attacker can execute unauthorized arbitrary code on the server, causing severe harm. The vulnerability is triggered when the args-number parameter is greater than 1, leading to automatic deserialization and arbitrary code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-9070", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0041", "scoring_system": "epss", "scoring_elements": "0.61729", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0041", "scoring_system": "epss", "scoring_elements": "0.61724", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0041", "scoring_system": "epss", "scoring_elements": "0.61736", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-9070" }, { "reference_url": "https://github.com/bentoml/BentoML", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML" }, { "reference_url": "https://github.com/bentoml/BentoML/blob/a6f5f937be6ec278f3d4f3bbc6f3c8f9564820d7/src/bentoml/_internal/server/runner_app.py#L297", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML/blob/a6f5f937be6ec278f3d4f3bbc6f3c8f9564820d7/src/bentoml/_internal/server/runner_app.py#L297" }, { "reference_url": "https://github.com/bentoml/BentoML/blob/v1.4.5/src/bentoml/_internal/server/runner_app.py#L301", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML/blob/v1.4.5/src/bentoml/_internal/server/runner_app.py#L301" }, { "reference_url": "https://huntr.com/bounties/7be6fc22-be18-44ee-a001-ac7158d5e1a5", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-20T17:51:14Z/" } ], "url": "https://huntr.com/bounties/7be6fc22-be18-44ee-a001-ac7158d5e1a5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9070", "reference_id": "CVE-2024-9070", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9070" }, { "reference_url": "https://github.com/advisories/GHSA-9g44-gwvm-hc44", "reference_id": "GHSA-9g44-gwvm-hc44", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9g44-gwvm-hc44" } ], "fixed_packages": [], "aliases": [ "CVE-2024-9070", "GHSA-9g44-gwvm-hc44" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nqwe-qcu8-jkan" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95834?format=api", "vulnerability_id": "VCID-rgvz-28ah-d7a8", "summary": "BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context\n### Summary\nBentoML's `bentoml build` packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento artifact.\n\nIf a victim builds an untrusted repository or other attacker-supplied build context, the attacker can place a symlink such as `loot.txt -> /tmp/outside-marker.txt` or a link to a more sensitive local file. When `bentoml build` runs, BentoML dereferences the symlink and packages the target file contents into the Bento. The leaked file can then propagate further through export, push, or containerization workflows.\n\n### Details\nThe vulnerable code walks files under the build context and copies each matched entry into the Bento source directory:\n\n```python\nfor root, _, files in os.walk(ctx_path):\n for f in files:\n dir_path = os.path.relpath(root, ctx_path)\n path = os.path.join(dir_path, f).replace(os.sep, \"/\")\n if specs.includes(path):\n src_file = ctx_path.joinpath(path)\n dst_file = target_fs.joinpath(dest_path)\n shutil.copy(src_file, dst_file)\n```\n\nThere is no validation that the resolved path of `src_file` remains inside `ctx_path` before `shutil.copy` dereferences the source path. As a result, a repository-controlled symlink can cross the trust boundary from `attacker-controlled repository content` to `developer/CI host filesystem` during the build process.\n\nThis is a build-time path traversal / symlink traversal issue in the packaging feature, not a runtime API issue. The resulting Bento may later be exported, pushed to remote storage, or converted into a container image, which amplifies the leakage impact.\n\n### PoC\nThe issue was verified in WSL against BentoML 1.4.38. The following script reproduces the vulnerability by using a harmless marker file outside the build directory.\n\n```bash\nmkdir -p /tmp/bento-symlink-poc\ncd /tmp/bento-symlink-poc\n\nprintf 'BENTOML_SYMLINK_POC_123456\\n' > /tmp/outside-marker.txt\n\ncat > service.py <<'EOF'\nimport bentoml\n\n@bentoml.service\nclass Demo:\n @bentoml.api\n def ping(self, x: str) -> str:\n return x\nEOF\n\ncat > bentofile.yaml <<'EOF'\nservice: \"service:Demo\"\ninclude:\n - \"service.py\"\n - \"loot.txt\"\nEOF\n\nln -s /tmp/outside-marker.txt loot.txt\n\nbentoml build --output tag\nbentoml export demo:7pilrpjtlomelwct /tmp/poc.zip\n\nmkdir -p /tmp/poc-unzip\nunzip -o /tmp/poc.zip -d /tmp/poc-unzip\nfind /tmp/poc-unzip -name loot.txt -print\ncat /tmp/poc-unzip/**/src/loot.txt 2>/dev/null || \\\nfind /tmp/poc-unzip -path '*/src/loot.txt' -exec cat {} \\;\n```\n\n- The script creates `/tmp/outside-marker.txt` outside the build context as a stand-in for a sensitive local file.\n- It creates a minimal BentoML service and explicitly includes `loot.txt` in `bentofile.yaml`.\n- It creates `loot.txt` as a symlink to the external marker file.\n<img width=\"1531\" height=\"648\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1312dcf0-74b0-4fb6-a05d-b68644470d82\" />\n\n- It runs `bentoml build`, exports the generated Bento, unzips it, and reads the packaged `src/loot.txt`.\n- Successful exploitation is confirmed when the packaged file contains `BENTOML_SYMLINK_POC_123456`, proving that BentoML copied the external file contents rather than keeping only the symlink.\n<img width=\"1315\" height=\"121\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6ed34f51-9b68-4fa9-8a42-011deb84d54e\" />\n\n\n<img width=\"1697\" height=\"760\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9b8a8ae5-4f06-46b4-9e4a-dee25cc5d203\" />\n\n\n### Impact\nAn attacker who can cause a developer, release engineer, or CI system to run `bentoml build` on an attacker-controlled repository can exfiltrate local files from the build host into the Bento artifact.\n\nThis can expose secrets such as cloud credentials, SSH keys, API tokens, environment files, or other sensitive local configuration. Because Bento artifacts are commonly exported, uploaded, stored, or containerized after build, the leaked file contents can spread beyond the original build machine.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40610", "reference_id": "", "reference_type": "", "scores": [ { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.00093", "published_at": "2026-06-05T12:55:00Z" }, { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.00094", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40610" }, { "reference_url": "https://github.com/bentoml/BentoML", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML" }, { "reference_url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-mcfx-4vc6-qgxv", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-26T15:32:48Z/" } ], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-mcfx-4vc6-qgxv" }, { "reference_url": "https://github.com/bentoml/BentoML/commit/5fb7cd41f92e2a56b45391284cf15b9ac9963a1f", "reference_id": "5fb7cd41f92e2a56b45391284cf15b9ac9963a1f", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-26T15:32:48Z/" } ], "url": "https://github.com/bentoml/BentoML/commit/5fb7cd41f92e2a56b45391284cf15b9ac9963a1f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40610", "reference_id": "CVE-2026-40610", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40610" }, { "reference_url": "https://github.com/advisories/GHSA-mcfx-4vc6-qgxv", "reference_id": "GHSA-mcfx-4vc6-qgxv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mcfx-4vc6-qgxv" }, { "reference_url": "https://github.com/bentoml/BentoML/releases/tag/v1.4.39", "reference_id": "v1.4.39", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-26T15:32:48Z/" } ], "url": "https://github.com/bentoml/BentoML/releases/tag/v1.4.39" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/75163?format=api", "purl": "pkg:pypi/bentoml@1.4.39", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/bentoml@1.4.39" } ], "aliases": [ "CVE-2026-40610", "GHSA-mcfx-4vc6-qgxv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rgvz-28ah-d7a8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37256?format=api", "vulnerability_id": "VCID-twd8-ejvs-6ffv", "summary": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33744", "reference_id": "", "reference_type": "", "scores": [ { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.01053", "published_at": "2026-06-05T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.01052", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33744" }, { "reference_url": "https://github.com/bentoml/BentoML", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML" }, { "reference_url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-27T20:01:10Z/" } ], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33744", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33744" }, { "reference_url": "https://github.com/advisories/GHSA-jfjg-vc52-wqvf", "reference_id": "GHSA-jfjg-vc52-wqvf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jfjg-vc52-wqvf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49079?format=api", "purl": "pkg:pypi/bentoml@1.4.37", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5mjt-8ze7-h7d9" }, { "vulnerability": "VCID-bv3z-1yux-kka6" }, { "vulnerability": "VCID-rgvz-28ah-d7a8" }, { "vulnerability": "VCID-ujzb-bk9k-7yf2" }, { "vulnerability": "VCID-zxca-jerw-6ycm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/bentoml@1.4.37" } ], "aliases": [ "CVE-2026-33744", "GHSA-jfjg-vc52-wqvf", "PYSEC-2026-157" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-twd8-ejvs-6ffv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51260?format=api", "vulnerability_id": "VCID-ujzb-bk9k-7yf2", "summary": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2 interpolates docker.base_image raw with no escaping, newline filtering, or validation. A malicious bento.yaml with a multi-line docker.base_image value smuggles arbitrary Dockerfile directives into the generated Dockerfile, and bentoml containerize then runs docker build which executes the injected RUN directives on the victim host. This vulnerability is fixed in 1.4.39.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44345", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14719", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14685", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14726", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44345" }, { "reference_url": "https://github.com/bentoml/BentoML", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML" }, { "reference_url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-78f9-r8mh-4xm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-27T18:00:08Z/" } ], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-78f9-r8mh-4xm2" }, { "reference_url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-w2pm-x38x-jp44", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-w2pm-x38x-jp44" }, { "reference_url": "https://github.com/advisories/GHSA-78f9-r8mh-4xm2", "reference_id": "GHSA-78f9-r8mh-4xm2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-78f9-r8mh-4xm2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/75163?format=api", "purl": "pkg:pypi/bentoml@1.4.39", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/bentoml@1.4.39" } ], "aliases": [ "CVE-2026-44345", "GHSA-78f9-r8mh-4xm2", "PYSEC-2026-189" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ujzb-bk9k-7yf2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56923?format=api", "vulnerability_id": "VCID-wzre-vn34-qqak", "summary": "BentoML Denial of Service (DoS) via Multipart Boundary\nBentoML version v1.3.4post1 is vulnerable to a Denial of Service (DoS) attack. The vulnerability can be exploited by appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request. This causes the server to continuously process each character, leading to excessive resource consumption and rendering the service unavailable. The issue is unauthenticated and does not require any user interaction, impacting all users of the service.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-9056", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.54028", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.54024", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.54036", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-9056" }, { "reference_url": "https://github.com/bentoml/BentoML", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML" }, { "reference_url": "https://github.com/bentoml/BentoML/blob/a6f5f937be6ec278f3d4f3bbc6f3c8f9564820d7/src/bentoml/_internal/io_descriptors/file.py#L293", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML/blob/a6f5f937be6ec278f3d4f3bbc6f3c8f9564820d7/src/bentoml/_internal/io_descriptors/file.py#L293" }, { "reference_url": "https://github.com/bentoml/BentoML/blob/v1.4.5/src/bentoml/_internal/io_descriptors/file.py#L293C9-L293C66", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML/blob/v1.4.5/src/bentoml/_internal/io_descriptors/file.py#L293C9-L293C66" }, { "reference_url": "https://huntr.com/bounties/a24a13c2-0300-4a95-b26a-ac7fe8f6521b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:52:04Z/" } ], "url": "https://huntr.com/bounties/a24a13c2-0300-4a95-b26a-ac7fe8f6521b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9056", "reference_id": "CVE-2024-9056", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9056" }, { "reference_url": "https://github.com/advisories/GHSA-hw8j-hw49-752c", "reference_id": "GHSA-hw8j-hw49-752c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hw8j-hw49-752c" } ], "fixed_packages": [], "aliases": [ "CVE-2024-9056", "GHSA-hw8j-hw49-752c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wzre-vn34-qqak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50640?format=api", "vulnerability_id": "VCID-z6sb-5n7n-1qgz", "summary": "BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction\nThe `safe_extract_tarfile()` function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, **not the symlink's target**. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27905", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01115", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01116", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27905" }, { "reference_url": "https://github.com/bentoml/BentoML", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML" }, { "reference_url": "https://github.com/bentoml/BentoML/commit/4e0eb007765ac04c7924220d643f264715cc9670", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T21:23:29Z/" } ], "url": "https://github.com/bentoml/BentoML/commit/4e0eb007765ac04c7924220d643f264715cc9670" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27905", "reference_id": "CVE-2026-27905", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27905" }, { "reference_url": "https://github.com/advisories/GHSA-m6w7-qv66-g3mf", "reference_id": "GHSA-m6w7-qv66-g3mf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m6w7-qv66-g3mf" }, { "reference_url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf", "reference_id": "GHSA-m6w7-qv66-g3mf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T21:23:29Z/" } ], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49078?format=api", "purl": "pkg:pypi/bentoml@1.4.36", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5mjt-8ze7-h7d9" }, { "vulnerability": "VCID-bv3z-1yux-kka6" }, { "vulnerability": "VCID-rgvz-28ah-d7a8" }, { "vulnerability": "VCID-twd8-ejvs-6ffv" }, { "vulnerability": "VCID-ujzb-bk9k-7yf2" }, { "vulnerability": "VCID-zxca-jerw-6ycm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/bentoml@1.4.36" } ], "aliases": [ "CVE-2026-27905", "GHSA-m6w7-qv66-g3mf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z6sb-5n7n-1qgz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37261?format=api", "vulnerability_id": "VCID-zxca-jerw-6ycm", "summary": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the cloud deployment path in src/bentoml/_internal/cloud/deployment.py was not included in the fix for CVE-2026-33744. Line 1648 interpolates system_packages directly into a shell command using an f-string without any quoting. The generated script is uploaded to BentoCloud as setup.sh and executed on the cloud build infrastructure during deployment, making this a remote code execution on the CI/CD tier. This vulnerability is fixed in 1.4.38.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35043", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08819", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08839", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08821", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35043" }, { "reference_url": "https://github.com/bentoml/BentoML", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/bentoml/BentoML" }, { "reference_url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-fgv4-6jr3-jgfw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T14:09:04Z/" } ], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-fgv4-6jr3-jgfw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33744", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33744" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35043", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35043" }, { "reference_url": "https://github.com/advisories/GHSA-fgv4-6jr3-jgfw", "reference_id": "GHSA-fgv4-6jr3-jgfw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fgv4-6jr3-jgfw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49121?format=api", "purl": "pkg:pypi/bentoml@1.4.38", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5mjt-8ze7-h7d9" }, { "vulnerability": "VCID-rgvz-28ah-d7a8" }, { "vulnerability": "VCID-ujzb-bk9k-7yf2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/bentoml@1.4.38" } ], "aliases": [ "CVE-2026-35043", "GHSA-fgv4-6jr3-jgfw", "PYSEC-2026-158" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zxca-jerw-6ycm" } ], "fixing_vulnerabilities": [], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/bentoml@1.3.9" }