{"data":{"id":"dbbcb1b5-d0bd-4baa-aef2-cfc20bf086bf","title":"CVE-2025-27520: BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code","summary":"BentoML v1.4.2 contains a Remote Code Execution (RCE) vulnerability caused by insecure deserialization (unsafe handling of data conversion from storage format back into code objects), which allows unauthenticated users to execute arbitrary code on the server through an unsafe code segment in serde.py. This is a critical security flaw in a Python library used for building AI model serving systems.","solution":"This vulnerability is fixed in BentoML version 1.4.3. Users should upgrade from v1.4.2 to v1.4.3 or later.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-27520","publishedAt":"2025-04-04T19:15:47.927Z","cveId":"CVE-2025-27520","cweIds":["CWE-502"],"cvssScore":"9.8","cvssSeverity":"critical","severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["BentoML"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.8095,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-586"],"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}