CVE-2017-18342

CRITICAL9.8EPSS 4.8%

PyYAML insecurely deserializes YAML strings leading to arbitrary code execution

Published: 1/4/2019Modified: 4/28/2026

Description

In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.

Affected packages (3)

Debian/pyyamlfrom 0, < 5.1.2-1
PyPI/pyyamlfrom 0, < 4.1
PyPI/pyyamlfrom 0, < 5.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (18)

ADVISORYhttps://github.com/advisories/GHSA-rprw-h62v-c2w7
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-18342
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-18342
PATCHhttps://github.com/yaml/pyyaml
WEBhttps://github.com/marshmallow-code/apispec/issues/278
WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/pyyaml/PYSEC-2018-49.yaml
WEBhttps://github.com/yaml/pyyaml/blob/master/CHANGES
WEBhttps://github.com/yaml/pyyaml/commit/7b68405c81db889f83c32846462b238ccae5be80
WEBhttps://github.com/yaml/pyyaml/issues/193
WEBhttps://github.com/yaml/pyyaml/pull/74
WEBhttps://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/
WEBhttps://security.gentoo.org/glsa/202003-45