BentoML previously allowed users to specify several file path fields in its bentofile.yaml configuration, including description, docker.setup_script, docker.dockerfile_template, and conda.environment_yml. By inserting specially crafted paths, an attacker can cause the build process to read arbitrary files from the host file system and embed them into the resulting bento archive. This leads to hidden exfiltration of sensitive material such as SSH keys, credentials, or environment variables, and can silently inject malicious content into artifacts that are later pushed to registries or deployed in production. The vulnerability is a classic path traversal flaw (CWE‑22) that compromises confidentiality and supply‑chain integrity. The impact is not limited to local files; any file the build process can read may be extracted, potentially exposing critical secrets.

The issue affects BentoML installations using the bentoml Python library prior to version 1.4.34. The relevant product is BentoML, and the vulnerable releases are all versions before v1.4.34. Updating to the patched release eliminates the vulnerability.

The CVSS score of 7.4 denotes high severity, while the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no known exploitation campaigns. Attackers would need to supply a malicious bentofile.yaml to the build process, typically through supply‑chain contamination or a malicious user initiating a build. Once a victim builds the artifact, the path traversal is fully executed, reading arbitrary files into the archive, which can later propagate sensitive data when the artifact is pushed to a registry or deployed. Overall, the risk is significant for systems that build bentos from untrusted sources, but the probability of a real‑world attack remains low at present.