GHSA-78f9-r8mh-4xm2: BentoML Dockerfile command injection via docker.base_image (sister of pending GHSA-w2pm-x38x-jp44 / CVE-2026-33744 / CVE-2026-35043)
Summary
BentoML has a command injection vulnerability where the `docker.base_image` field in a bento.yaml configuration file is inserted directly into a Dockerfile template without any validation or escaping. An attacker can supply a malicious bento.yaml with newlines in the `docker.base_image` value to inject arbitrary Dockerfile commands (like `RUN` directives that execute code) which get executed when a victim runs `bentoml containerize` to build a container image.
Solution / Mitigation
Validate `DockerOptions.base_image` at the config layer by rejecting any value containing newline characters (`\n`, `\r`) or whitespace beyond a single space-separated tag. The source suggests using a regex like `^[A-Za-z0-9._/-]+(:[A-Za-z0-9._-]+)?(@sha256:[a-f0-9]{64})?$` to enforce practical Docker reference format. The same hardening should be extended to other unvalidated fields in the Dockerfile template: `__options__build_include[*]`, `bento__user`, `bento__uid_gid`, `bento__path`, `bento__home`, and `bento__entrypoint`.
Vulnerability Details
EPSS: 0.0%
Yes
May 11, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-78f9-r8mh-4xm2
First tracked: May 11, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%