BentoML versions prior to 1.4.37 allow arbitrary strings supplied in the system_packages field of bentofile.yaml to be interpolated directly into Dockerfile RUN commands without any sanitization. This flaw is a form of command injection that lets an attacker execute whichever shell commands they embed when they run bentoml containerize or the subsequent docker build. The result is that the attacker can add malicious binaries, modify the image contents, or otherwise compromise the build process, potentially leading to full control over the image that will later run in production environments.

The vulnerability affects the BentoML library when the system_packages field is enabled in bentofile.yaml in every build from any version earlier than 1.4.37. Users of BentoML 1.4.36 and earlier are impacted. The issue was corrected in version 1.4.37, so any release 1.4.37 or later is not vulnerable.

With a CVSS score of 7.8 the flaw is classified as high severity. The exploit requires the attacker to control or supply the bentofile.yaml used during image creation, which is typically a local privilege or supply chain situation. Because the flaw allows arbitrary code to run in the build environment, it can lead to container breakouts if the build host is not isolated, and any container built from a compromised image inherits the attacker’s code. No EPSS data is available, and the vulnerability is not currently listed in the CISA KEV catalog, but the high CVSS score and ability to fully compromise the image make the risk significant for organizations that rely on BentoML for production deployments.