What is CVE-2025-32375?

CVE-2025-32375 is a critical-severity vulnerability in Bentoml, classified under Deserialization of Untrusted Data. CVSS score: 9.8/10. Published 2025-04-09.

How severe is CVE-2025-32375?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2025-32375 known to be exploited?

5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Deserialization in Bentoml

CVE-2025-32375

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.8, there was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the…

Vulnerability class: Insecure Deserialization

EPSS: 0.652 (98.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Bentoml — versions >= 1.0, < 1.4.8

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

Public proof-of-concept exploits

References

https://github.com/bentoml/BentoML/security/advisories/GHSA-7v4r-c989-xh26 (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2025-32375?: CVE-2025-32375 is a critical-severity vulnerability in Bentoml, classified under Deserialization of Untrusted Data. CVSS score: 9.8/10. Published 2025-04-09.
How severe is CVE-2025-32375?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2025-32375 known to be exploited?: 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.