CVE-2026-27905 - BentoML tar symlink arbitrary write
BentoML versions through 1.4.8 used a tar extraction helper that checked the
archive member path but did not safely constrain symlink targets before later
file writes. A malicious bento or model archive can therefore write through a
symlink outside the extraction directory when a vulnerable service pulls or
imports that archive.
This is a strong candidate for a tailored recipe because many model-serving repositories treat bentos and model bundles as trusted build artifacts. The PR must prove that archive inputs are trusted, fixed, or sandboxed, and that tests do not perform real writes outside temporary directories.
When to use it
Use this recipe when a repository builds, imports, promotes, or serves BentoML bentos/model archives from registries, object storage, CI artifacts, notebooks, partners, tenants, or automation. It is designed for source-code/deployment remediation, archive extraction containment, model artifact provenance, worker least privilege, and evidence that tar symlinks cannot write outside extraction roots.
Inputs
bentomlversion, Python dependency files, lockfiles, images, bento/model registry config, archive import/pull commands, and SBOM or generated dependency reports.- Source/config paths that call BentoML archive helpers, import/pull bentos,
use
tarfile, restore CI/model artifacts, mount mutable caches, or promote model bundles. - Regression fixtures for tar members, symlinks, absolute paths, traversal paths, benign archives, temp extraction roots, and denied out-of-root writes.
- Boundary evidence: archive authors, registry write access, shared caches, writable directories, service credentials, logs, image owners, and rollout owner.
Affected versions
- Vulnerable package:
bentoml <=1.4.8 - Fixed package:
bentoml 1.4.36+ - Affected helper:
safe_extract_tarfile() - Affected flows: pulling or importing BentoML bento/model tar archives, including local registries, BentoCloud pulls, CI artifact restore, and model bundle promotion jobs
- Required attacker capability: ability to influence a bento/model archive that a vulnerable runtime extracts
Indicator-of-exposure
- The repository depends on, vendors, builds, or deploys
bentoml <=1.4.8. - CI, deployment, model registry, notebooks, or serving jobs pull bento/model tar archives from users, partners, model registries, artifact caches, object storage, or BentoCloud.
- Archive extraction runs as a user that can write source trees, site-packages, shell startup files, service config, model cache directories, credentials, or shared volumes.
- Custom wrappers call BentoML archive import/extract functions or reimplement tar extraction with member-path checks that ignore symlink targets.
- Model-serving deployments reuse mutable caches between tenants, builds, or promotion stages.
Quick checks:
rg -n "bentoml|bento import|bento pull|model import|safe_extract_tarfile|tarfile|extractall|extract\\(|BentoCloud|bento\\.py|model\\.py" .
python -m pip show bentoml
python -m pip freeze | rg -i "^bentoml=="
rg -n "bentoml|bento|model.*tar|artifact.*tar|extractall|tarfile" Dockerfile* docker-compose*.yml compose*.yml charts k8s scripts notebooks .github . 2>/dev/null
Windows:
rg -n "bentoml|bento import|bento pull|model import|safe_extract_tarfile|tarfile|extractall|extract\\(|BentoCloud|bento\\.py|model\\.py" .
python -m pip show bentoml
python -m pip freeze | rg -i "^bentoml=="
rg -n "bentoml|bento|model.*tar|artifact.*tar|extractall|tarfile" Dockerfile* docker-compose*.yml compose*.yml charts k8s scripts notebooks .github .
Do not extract untrusted archives into the repository, a real model cache, a home directory, production volumes, or any path outside a temporary directory.
Remediation strategy
- Upgrade every controlled BentoML dependency, lockfile, image, generated
dependency report, and SBOM to
1.4.36+. - Treat bento and model archives as untrusted unless they come from a signed, provenance-checked source controlled by the repository owner.
- Ensure archive extraction rejects absolute paths, traversal, hardlinks,
symlinks that point outside the extraction root, and writes through existing
symlinks. Prefer Python 3.12+
tarfiledata filters where the runtime and compatibility allow it. - Run import/extraction jobs as least-privilege users against dedicated disposable model cache directories.
- Add safe regression tests with synthetic tar fixtures in temporary directories. The tests should assert no file is created outside the temporary extraction root.
- Review model cache, build cache, and serving hosts if vulnerable archive imports consumed third-party or user-supplied bentos.
The prompt
You are remediating CVE-2026-27905 / GHSA-m6w7-qv66-g3mf, a BentoML tar
symlink traversal issue that can write outside the extraction root when
vulnerable runtimes import bento or model archives. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades BentoML, hardens archive
extraction and artifact trust, adds safe regression coverage, refreshes
generated artifacts, and documents operator review, or
- TRIAGE.md if this repository does not own an affected BentoML runtime or
archive extraction surface.
## Rules
- Scope only CVE-2026-27905 / GHSA-m6w7-qv66-g3mf and directly related BentoML
archive extraction, model artifact, cache, and deployment controls.
- Treat model archives, bentos, model weights, source trees, site-packages,
service config, credentials, cache directories, logs, and build artifacts as
sensitive.
- Do not extract untrusted archives into real repository paths, home
directories, production volumes, model caches, service config directories, or
any non-temporary destination.
- Do not delete model caches, disable model provenance, weaken artifact
signing, or remove tests to silence the advisory.
- Do not auto-merge.
## Steps
1. Inventory every BentoML reference controlled by the repository: Python
manifests, lockfiles, constraints, Dockerfiles, model-serving images,
notebooks, CI jobs, artifact restore jobs, model registry integrations,
BentoCloud pulls, generated dependency reports, SBOMs, and runbooks.
2. Determine every resolved `bentoml` version. A target is vulnerable if it
resolves to `<=1.4.8`.
3. Search for bento/model archive import and extraction flows: `bento pull`,
`bento import`, model import, `safe_extract_tarfile`, `tarfile`,
`extractall`, custom extraction wrappers, cache warmers, model promotion,
and artifact download steps.
4. Classify archive sources as repository-built, signed internal registry,
trusted vendor, user supplied, partner supplied, CI artifact cache, object
storage, BentoCloud, or unknown.
5. If BentoML is absent, fixed, or only used in a non-extracting client path,
stop with `TRIAGE.md` listing checked files, resolved versions, and exposure
rationale.
6. Upgrade all controlled BentoML references to `1.4.36+`. Refresh locks,
constraints, images, generated dependency reports, SBOMs, and docs.
7. Harden archive handling where this repository owns wrapper code:
- reject absolute paths and traversal;
- reject hardlinks and symlinks that resolve outside the extraction root;
- prevent writes through pre-existing symlinks;
- canonicalize final paths after all joins;
- use Python 3.12+ `tarfile` data filters where available;
- extract into dedicated temporary directories before promotion;
- require provenance checks for non-local model artifacts.
8. Harden runtime deployment:
- run extraction as a least-privilege account;
- use dedicated writable model cache directories;
- avoid mounting source trees, credentials, service config, or home
directories writable by the extraction process;
- clear and rebuild caches only through documented operator steps.
9. Add safe regression checks:
- dependency policy rejects `bentoml <=1.4.8`;
- synthetic tar fixtures with symlinks or hardlinks cannot create files
outside a temporary extraction root;
- model/bento import paths require trusted provenance where configured;
- logs and test output do not include model secrets, credentials, or
customer artifacts.
10. Add a PR body section named `CVE-2026-27905 operator actions` that states:
- BentoML versions before and after;
- which services import or pull bento/model archives;
- which archive sources are trusted or untrusted;
- which extraction users and cache directories are writable;
- whether model caches, build caches, or serving hosts need review;
- which validation commands passed.
11. Run available validation: package install, lockfile integrity, unit tests,
archive extraction tests, model import smoke tests with local fixtures,
lint/typecheck, image build, SBOM refresh, dependency/security scans, and
deployment render checks.
12. Use PR title:
`fix(sec): remediate CVE-2026-27905 in BentoML archive extraction`.
## Stop conditions
- No affected BentoML runtime, dependency, archive extraction flow, image,
generated artifact, or model cache is controlled by this repository.
- The affected model-serving runtime is owned by another team; name the owner
and required fixed version in `TRIAGE.md`.
- A fixed BentoML version requires a broader model-serving migration or
maintenance window the agent cannot safely complete.
- Verification would require extracting untrusted archives into non-temporary
paths, touching production model caches, or reading customer/model secrets.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades BentoML, refreshes dependency/image artifacts, constrains archive extraction, adds symlink regression tests, and documents artifact/operator review.
- Or a
TRIAGE.mdfile that lists inspected dependencies/import paths, owner, observed version, archive trust boundary, writable paths, required fix, and residual risk. - The output must include exact validation commands and must not extract untrusted archives outside temporary directories, overwrite real files, or expose model/service secrets.
Verification - what the reviewer looks for
- No controlled dependency, lockfile, image, SBOM, or generated report resolves
bentoml <=1.4.8. - Archive extraction either comes from patched BentoML or rejects symlink, hardlink, absolute-path, traversal, and existing-symlink escape writes.
- Regression tests prove unsafe archive members cannot write outside a temporary extraction root.
- Model/bento artifact sources have explicit trust and provenance rules.
- Operator notes cover cache review and least-privilege extraction users.
Watch for
- Upgrading application dependencies while model-serving images, notebooks, or cache-warming jobs still install an older BentoML version.
- Testing with real model caches or repository paths instead of temporary directories.
- Checking tar member names but not link targets or pre-existing symlink destinations.
- Running extraction as a user that can modify source, credentials, service configuration, or shared model volumes.
- Treating signed artifacts as safe while allowing unsigned user or partner model imports in a different code path.
Related recipes
- Source code attack surface map
- Source code supply chain build integrity audit
- Source code secrets and data exposure audit
- SAST finding triage and fix
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-m6w7-qv66-g3mf
- BentoML advisory: https://github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27905