Critical Deserialization Vulnerability in BentoML Allows Remote Code Execution

A critical deserialization vulnerability (CVSS 9.8 – CVE-2025-27520) in BentoML (versions 1.3.8 to 1.4.2) allows attackers to execute code remotely without authentication. This flaw was discovered by Checkmarx and affects AI servers using BentoML. The affected versions are vulnerable to remote code execution (RCE), which can lead to serious compromises of the affected systems. The vulnerability has been fixed in version 1.4.3 of BentoML.