Deserialization of Untrusted Data
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using ruamel.yaml.YAML() with typ=‘unsafe’ or typ=‘base’ allows loading YAML files that can instantiate arbitrary Python objects. This means untrusted YAML input could trigger unintended code execution in your application.
Impact#
If exploited, an attacker could craft a malicious YAML file to execute arbitrary code on your server, potentially leading to data theft, service disruption, or a complete system compromise. This exposes your application and infrastructure to significant security risks.