PRP: BentoML CVE-2025-27520 Unauthenticated RCE

[hayageek]

• Identifier of the vulnerability: CVE-2025-27520
• Affected software: BentoML (Python library for AI model serving)
• Type of vulnerability: RCE
• Requires authentication: No
• Language you would use for writing the plugin: Java
• Resources:
  • GHSA-33xw-247w-6hmc
  • https://www.wiz.io/vulnerability-database/cve/cve-2025-27520

[github-actions]

Welcome to the Tsunami patch reward program!

Your issue has been added to our triage queue and will reviewed
shortly. The panel usually takes a decision once per week, so it
can take up to a week before you hear back from us.

Please, do not start the work until the panel has reached a
decision. Although we always welcome contributions, unapproved
work is not eligible for a reward.

~The Tsunami PRP team