SYM_PY_0097 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using ruamel.yaml.YAML() with typ='unsafe' or typ='base' allows loading YAML files that can instantiate arbitrary Python objects. This means untrusted YAML input could trigger unintended code execution in your application.
Impact
If exploited, an attacker could craft a malicious YAML file to execute arbitrary code on your server, potentially leading to data theft, service disruption, or a complete system compromise. This exposes your application and infrastructure to significant security risks.