Search for packages
| purl | pkg:pypi/bentoml@1.0.0.dev1 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2kem-3zpv-9yfj
Aliases: CVE-2026-27905 GHSA-m6w7-qv66-g3mf |
BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction The `safe_extract_tarfile()` function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, **not the symlink's target**. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem. |
Affected by 3 other vulnerabilities. |
|
VCID-7ma3-q9pr-5ubm
Aliases: CVE-2024-2912 GHSA-hvj5-mvw9-93j3 |
Insecure deserialization in BentoML An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request. By exploiting this vulnerability, attackers can execute arbitrary commands on the server hosting the BentoML application. The vulnerability is triggered when a serialized object, crafted to execute OS commands upon deserialization, is sent to any valid BentoML endpoint. This issue poses a significant security risk, enabling attackers to compromise the server and potentially gain unauthorized access or control. |
Affected by 8 other vulnerabilities. |
|
VCID-7uh5-r7gx-qka6
Aliases: CVE-2024-9056 GHSA-hw8j-hw49-752c |
There are no reported fixed by versions. | |
|
VCID-8fmm-wxbk-7qcb
Aliases: CVE-2026-33744 GHSA-jfjg-vc52-wqvf PYSEC-2026-157 |
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue. |
Affected by 2 other vulnerabilities. |
|
VCID-c64b-txym-9fgf
Aliases: CVE-2026-24123 GHSA-6r62-w2q3-48hf |
BentoML has a Path Traversal via Bentofile Configuration BentoML's `bentofile.yaml` configuration allows path traversal attacks through multiple file path fields (`description`, `docker.setup_script`, `docker.dockerfile_template`, `conda.environment_yml`). An attacker can craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files from the filesystem into the bento archive. This enables supply chain attacks where sensitive files (SSH keys, credentials, environment variables) are silently embedded in bentos and exposed when pushed to registries or deployed. |
Affected by 4 other vulnerabilities. |
|
VCID-fvk4-zxh6-kuhs
Aliases: CVE-2026-35043 GHSA-fgv4-6jr3-jgfw PYSEC-2026-158 |
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the cloud deployment path in src/bentoml/_internal/cloud/deployment.py was not included in the fix for CVE-2026-33744. Line 1648 interpolates system_packages directly into a shell command using an f-string without any quoting. The generated script is uploaded to BentoCloud as setup.sh and executed on the cloud build infrastructure during deployment, making this a remote code execution on the CI/CD tier. This vulnerability is fixed in 1.4.38. |
Affected by 3 other vulnerabilities. |
|
VCID-urh1-515z-s3fg
Aliases: CVE-2026-35044 GHSA-v959-cwq9-7hr6 PYSEC-2026-159 |
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38. |
Affected by 3 other vulnerabilities. |
|
VCID-yuf4-1dgj-7qgm
Aliases: CVE-2024-9070 GHSA-9g44-gwvm-hc44 |
There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||