CVE-2025-32375

Exploit

EPSS 51.17%
Veröffentlicht 09.04.2025 15:30:03
Zuletzt bearbeitet 22.04.2025 16:52:36
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.8, there was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. This vulnerability is fixed in 1.4.8.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Bentoml ≫ Bentoml Version >= 1.0.0 < 1.4.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	51.17%	0.977

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://github.com/bentoml/BentoML/security/advisories/GHSA-7v4r-c989-xh26

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-32375

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-32375

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-32375

EUVD