CVE-2026-35044

HIGH8.8EPSS 0.02%

BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation

發布日:2026/4/3修改日:2026/5/20

描述

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38.

受影響套件(2)

PyPI/bentomlfrom 0, < 1.4.38
PyPI/bentomlfrom 0, < 1.4.38

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-35044
PATCHhttps://github.com/bentoml/BentoML
WEBhttps://github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6