CVE-2024-9070: A deserialization vulnerability exists in BentoML's runner server in bentoml/bentoml versions <=1.3.4.post1. By setting
highvulnerability
security
Summary
CVE-2024-9070 is a deserialization vulnerability (a security flaw where untrusted data is converted back into executable code) in BentoML versions 1.3.4.post1 and earlier that affects the runner server component. An attacker can exploit this by setting specific parameters to execute arbitrary code (any commands they choose) on the affected server, causing severe damage.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.3%
Classification
Attack Type
Model Poisoning
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-9070
First tracked: February 15, 2026 at 08:45 PM
Classified by LLM (prompt v3) · confidence: 92%