Listen to this Post
How the mentioned CVE works:
The vulnerability exists in BentoML’s `bentoml build` packaging workflow. When building a Bento from an untrusted repository or attacker-supplied build context, the code recursively walks the build context directory using os.walk(). For each file matched in the `bentofile.yaml` includes list, it constructs `src_file = ctx_path.joinpath(path)` and copies it to the destination Bento artifact with shutil.copy(). The critical flaw is that there is no validation that the resolved, dereferenced path of the symlink remains inside ctx_path. An attacker can place a malicious symlink (e.g., loot.txt -> /etc/passwd) inside the build context. During the build, `shutil.copy()` follows the symlink and copies the target file’s contents from the host filesystem into the Bento, not the symlink itself. This allows arbitrary local file exfiltration. The leaked file then propagates when the Bento is exported, pushed to a registry, or containerized. The issue is a build‑time path traversal/symlink traversal, not a runtime API flaw. The provided PoC against BentoML 1.4.38 creates an external marker, a symlink to it, runs bentoml build, exports the Bento, and verifies the external file’s contents appear inside the artifact.
dailycve form:
Platform: BentoML
Version: 1.4.38
Vulnerability: Symlink traversal build
Severity: Medium
date: 2026-05-07
Prediction: 2026-06-15
What Undercode Say:
Check if bentoml build follows symlinks outside context mkdir -p /tmp/bento-test cd /tmp/bento-test echo "secret" > /tmp/sensitive.txt ln -s /tmp/sensitive.txt loot.txt cat > bentofile.yaml <<EOF service: "service:Demo" include: ["loot.txt"] EOF cat > service.py <<EOF import bentoml @bentoml.service class Demo: @bentoml.api def ping(self, x: str) -> str: return x EOF bentoml build --output tag bentoml export demo:latest /tmp/export.zip unzip -l /tmp/export.zip | grep -E "loot.txt|sensitive" If loot.txt contents show "secret", vulnerability exists
how Exploit:
- Attacker crafts a repository with a symlink pointing to a sensitive local file (e.g.,
~/.ssh/id_rsa). - Victim runs `bentoml build` on that repository (CI, developer machine).
- BentoML copies the actual target file into the Bento under
src/. - Victim exports/pushes the Bento, allowing attacker to retrieve the leaked file.
Protection from this CVE:
- Upgrade to a patched BentoML version (if available).
- Before building, scan build context for symlinks pointing outside the directory using
find -type l -exec test -e {} \; -print. - Use isolated build environments (containers) with only necessary files mounted.
- Manually validate `bentofile.yaml` includes – do not include untrusted symlinks.
Impact:
Exfiltration of local secrets (cloud credentials, SSH keys, API tokens, environment files) from build host. Leaked data can spread via exported Bentos, container images, or remote storage, leading to lateral movement and privilege escalation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
