CVE-2025-27520: BentoML pickle deserialization RCE
CVE-2025-27520 (BentoML pickle deserialization RCE) is a remote code execution (insecure deserialization) vulnerability in bentoml (PyPI). As of 2026-06-18 it carries an elevated 43.7% probability of exploitation in the next 30 days (EPSS). It is fixed in 1.4.3 — if you depend on an earlier version, upgrade.
| Severity | Critical |
|---|---|
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| EPSS (exploit probability, 30d) | 43.7% · 99th percentile |
| Vulnerability type | Remote Code Execution (insecure deserialization) |
| Affected package | bentoml (PyPI) |
| Fixed in | 1.4.3 |
What is CVE-2025-27520?
BentoML's deserialize_value() deserialized pickle payloads from incoming HTTP requests without validation. An unauthenticated attacker could send a request with the application/vnd.bentoml+pickle content type to execute arbitrary code on the model-serving host. It was a regression of the earlier CVE-2024-2912 fix and was resolved in 1.4.3, which blocks pickle-typed request bodies.
Is CVE-2025-27520 exploitable?
CVE-2025-27520 has an EPSS score of 43.7% (99th percentile), meaning an elevated 43.7% probability of exploitation in the next 30 days. Its CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which scores as Critical severity. It is a remote code execution (insecure deserialization) issue.
What is the EPSS score for CVE-2025-27520?
As of 2026-06-18, the EPSS exploit-prediction score for CVE-2025-27520 is 43.7% (99th percentile). EPSS estimates the probability that a vulnerability will be exploited in the wild within the next 30 days and is recomputed daily by FIRST.org.
How do I fix CVE-2025-27520?
Upgrade bentoml to 1.4.3 or later. BentoML's deserialize_value() deserialized pickle payloads from incoming HTTP requests without validation. An unauthenticated attacker could send a request with the application/vnd.bentoml+pickle content type to execute arbitrary code on the model-serving host. It was a regression of the earlier CVE-2024-2912 fix and was resolved in 1.4.3, which blocks pickle-typed request bodies.
Am I affected by CVE-2025-27520?
You are affected if your project (directly or transitively) depends on a vulnerable version of bentoml in the PyPI ecosystem. Check your lockfile for the resolved version, or scan automatically with VulnFeed.
Check your own project automatically
Don't eyeball every dependency by hand. VulnFeed reads your lockfile, checks it against the same advisory data, and ranks findings by EPSS — free, no signup (10 scans/day):
curl -s https://vulnfeed-api.novadyne.ai/vulnscan/query \
-H 'content-type: application/json' \
-d '{"ecosystem":"npm","package":"PKG","version":"VERSION"}'
Or run it inside Claude Code with no API key — uvx vulnfeed-mcp — and just ask "scan this project for vulnerabilities."
Data sources: vulnerability metadata from OSV.dev and the National Vulnerability Database; exploit-probability (EPSS) from FIRST.org (recomputed daily; EPSS data shown here as of 2026-06-18). Page generated 2026-06-18.