Deserialization of Untrusted Data
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using PyYAML’s yaml.load or yaml.unsafe_load (with Loader like Loader, UnsafeLoader, or CLoader) to parse YAML is unsafe, as it can execute arbitrary code embedded in YAML input. Always use yaml.safe_load or SafeLoader to prevent code execution risks.
Impact#
If exploited, an attacker could craft malicious YAML input that executes arbitrary Python code on your server, leading to data theft, malware installation, or complete system compromise. This puts both application data and infrastructure at serious risk.