From e28464836d909c4ef0bde19d11235029777dbb6a Mon Sep 17 00:00:00 2001
From: Christina <542637706@qq.com>
Date: Fri, 15 May 2026 10:00:00 +0800
Subject: [PATCH] fix: remove is_main guard on pickle content-type check to
 protect all services

The pickle deserialization protection in api_endpoint() only applies
when is_main=True. Non-entry services in multi-service deployments
have is_main=False (the default), leaving them vulnerable to RCE via
unauthenticated pickle.loads() on user-controlled request bodies.

Remove the is_main condition so ALL services block the unsafe
application/vnd.bentoml+pickle content type.

CWE-502: Deserialization of Untrusted Data
---
 src/_bentoml_impl/server/app.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/_bentoml_impl/server/app.py b/src/_bentoml_impl/server/app.py
index e3ad2c00135..8c73481812d 100644
--- a/src/_bentoml_impl/server/app.py
+++ b/src/_bentoml_impl/server/app.py
@@ -772,7 +772,7 @@ async def api_endpoint(self, name: str, request: Request) -> Response:
         media_type = media_type.split(";")[0].strip()
 
         # NOTE: The following check is for security concern, DO NOT REMOVE
-        if self.is_main and media_type == "application/vnd.bentoml+pickle":
+        if media_type == "application/vnd.bentoml+pickle":
             raise BentoMLException(
                 "application/vnd.bentoml+pickle is not allowed in main server",
                 error_code=HTTPStatus.UNSUPPORTED_MEDIA_TYPE,