module
BentoML's runner server RCE
| Disclosed | Created |
|---|---|
| Apr 9, 2025 | Apr 23, 2025 |
Disclosed
Apr 9, 2025
Created
Apr 23, 2025
Description
There was an insecure deserialization in BentoML's runner server prior to version 1.4.8.
By setting specific headers and parameters in the POST request, it is possible to execute unauthorized arbitrary code in the context of the user running the server,
which will grant initial access and information disclosure.
By setting specific headers and parameters in the POST request, it is possible to execute unauthorized arbitrary code in the context of the user running the server,
which will grant initial access and information disclosure.
Authors
SeaWind
Takahiro Yokoyama
Takahiro Yokoyama
Platform
Linux,Python,Unix
Architectures
python, cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.