Hi Bento Community, We’re writing to make you aware of two recent security advisories involving unsafe deserialization of Python pickle data in BentoML that could enable remote‑code execution (RCE) when a request is sent with the

Content‑Type: application/vnd.bentoml+pickle

header. CVE‑2025‑27520: • Scope: Insecure pickle deserialization in the entry service • Affected versions: BentoML ≥ 1.3.4 and < 1.4.3 • Action: Upgrade to v1.4.3 or later. CVE‑2025‑32375: • Scope: Insecure pickle deserialization in dependent (runner) services • Affected versions: BentoML ≤ v1.4.8 • Exposure: Only when runners are launched explicitly with

bentoml start-runner-server

. ◦ Deployments started with standard

bentoml serve

and containerized via ◦

bentoml containerize

are not exposed, because runner ports are not published. ◦ As of v1.4.8, the

start-runner-server

sub‑command has been removed, fully closing this attack vector. • Action: Upgrade to v1.4.8 or later. Recommended next steps: 1. Upgrade immediately to the minimum safe version listed above (or any newer release). 2. Audit ingress rules to ensure only intended content types are accepted if pickle support is truly required; otherwise, consider disabling pickle inputs altogether. If you have questions or need assistance, please open an issue or reach out in our community Slack. Stay safe, The BentoML Team