CVE-2025-27520 Critical RCE In BentoML Has Fewer Affected Versions Than Reported

A critical unauthenticated Remote Code Execution vulnerability (CVE-2025-27520, CVSSv3 9.8) was found in BentoML due to insecure deserialization of pickle payloads; versions 1.3.8 through 1.4.2 are affected, an attacker can send a crafted pickle via HTTP to trigger arbitrary code execution, and the issue is fixed in version 1.4.3 — immediate upgrades or Content-Type blocking mitigations are recommended.