Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-32375 PoC — Insecure Deserialization leads to RCE in BentoML's runner server

Source
https://github.com/theGEBIRGE/CVE-2025-32375
Associated Vulnerability
Title:Insecure Deserialization leads to RCE in BentoML's runner server (CVE-2025-32375)
Description:BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.8, there was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. This vulnerability is fixed in 1.4.8.
Description
This repository includes everything needed to run a PoC exploit for CVE-2025-32375 in a Docker environment. It runs the latest vulnerable version of BentoML (1.4.7).
Readme
# Setup for the vulnerable version.

Start the vulnerable container:
```sh
docker compose up
```

Create a listener (e.g. ncat):
```sh
ncat -klnv 1337
```

Run the exploit:
```sh
python3 exploit.py
```

You should receive an HTTP request in the ncat window with the contents of the OS command (`id` by default) if everything worked as expected.

# Credits
+ Vulnerability found by [SeaW1nd](https://twitter.com/SeaW1nd1405)
+ Based on the testing setup by [VickyTheViking](https://github.com/VickyTheViking)
File Snapshot

 [4.0K]  /data/pocs/de6595faecb8ec7ecfb23e4633a6b91845279c5d
├── [ 109]  docker-compose.yml
├── [ 408]  Dockerfile
├── [ 534]  exploit.py
├── [ 508]  README.md
└── [4.0K]  workdir
    ├── [ 172]  bentofile.yaml
    ├── [ 246]  create.py
    └── [ 460]  service.py

1 directory, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →