CVE-2025-27520 PoC — BentoML 代码问题漏洞

Source

https://github.com/amalpvatayam67/day09-bentoml-deser-lab

Associated Vulnerability

Title:BentoML 代码问题漏洞 (CVE-2025-27520)
Description:BentoML是BentoML开源的一个开源模型服务库。用于使用 Python 构建高性能和可扩展的人工智能应用程序。 BentoML 1.3.4版本至1.4.3之前版本存在代码问题漏洞，该漏洞源于不安全反序列化问题，可能导致远程代码执行。

Description

ay 09 — CVE-2025-27520 (BentoML-style insecure deserialization) — Local Docker lab

Readme

# Day 09 — CVE-2025-27520 (BentoML-style insecure deserialization) — Local Docker lab

**This lab reproduces the insecure deserialization class that led to CVE-2025-27520.**  
It is intentionally vulnerable for educational purposes. Run locally in Docker only.

## Quickstart

Build and run:

```bash
docker build -t day09-bentoml-lab .
docker run --rm -d -p 8080:8080 --name day09 day09-bentoml-lab
```

File Snapshot


 [4.0K]  /data/pocs/98fb0c5d2dc997ee145c9e343ecd7633568eeab7
├── [7.2K]  app.py
├── [ 224]  DISCLAIMER.md
├── [ 641]  Dockerfile
├── [ 500]  entrypoint.sh
├── [ 915]  exploit.sh
├── [ 408]  README.md
└── [ 179]  requirements.txt

0 directories, 7 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!