CVE-2024-2912: An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sendi
criticalvulnerability
security
Summary
BentoML (a framework for building AI applications) contains an insecure deserialization vulnerability that lets attackers run arbitrary commands on servers by sending specially crafted requests. When the framework deserializes (converts stored data back into usable objects) a malicious object, it automatically executes hidden OS commands, giving attackers control of the server.
Vulnerability Details
CVSS Score
10(critical)
EPSS (30-day exploit probability)
EPSS: 7.5%
Classification
Attack Type
Model Poisoning
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Taxonomy References
CWE (Weakness Type)
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-2912
First tracked: February 15, 2026 at 08:45 PM
Classified by LLM (prompt v3) · confidence: 95%