CVE-2025-50460
BaseFortify
Publication date: 2025-08-01
Last updated on: 2025-08-04
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| modelscope | ms-swift | 3.3.0 |
| pyyaml | pyyaml | 5.3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a remote code execution (RCE) issue in the ms-swift project version 3.3.0 caused by unsafe deserialization of YAML files using the yaml.load() function from the PyYAML library version 5.3.1. If an attacker can control the YAML configuration file passed to the --run_config parameter, they can execute arbitrary Python code during deserialization, potentially leading to full system compromise.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker to execute arbitrary code on the affected system remotely, which can lead to full system compromise. This means the attacker could take control of the system, execute malicious commands, access sensitive data, or disrupt system operations.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the PyYAML library to version 5.4 or higher and modify the code to use yaml.safe_load() instead of yaml.load() to prevent unsafe deserialization. Additionally, avoid passing untrusted YAML configuration files to the --run_config parameter to reduce risk.