Skip to content

Security vulnerability detected: pyyaml #1

New issue
New issue
Closed as not planned
Closed as not planned
Security vulnerability detected: pyyaml#1
Labels
dependabotopen-sweseverity-critical
@alee-dependabot-alert-reader

Description

@alee-dependabot-alert-reader
alee-dependabot-alert-reader
bot
opened on Aug 22, 2025

This issue tracks security vulnerabilities detected by Dependabot for the pyyaml package.

Dependabot Alert #10 - Security vulnerability in pyyaml

Severity: critical
Fixed in: 5.3.1

More details: Security Advisory

Full Vulnerability Details

{
"number": 10,
"state": "open",
"dependency": {
"package": {
"ecosystem": "pip",
"name": "pyyaml"
},
"manifest_path": "requirements/prd.txt",
"scope": "runtime",
"relationship": "unknown"
},
"security_advisory": {
"ghsa_id": "GHSA-6757-jp84-gxfx",
"cve_id": "CVE-2020-1747",
"summary": "Improper Input Validation in PyYAML",
"description": "A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.",
"severity": "critical",
"identifiers": [
{
"value": "GHSA-6757-jp84-gxfx",
"type": "GHSA"
},
{
"value": "CVE-2020-1747",
"type": "CVE"
}
],
"references": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1747"
},
{
"url": "https://github.com/yaml/pyyaml/pull/386"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747"
},
{
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html"
},
{
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"url": "https://github.com/yaml/pyyaml/commit/5080ba513377b6355a0502104846ee804656f1e0"
},
{
"url": "https://github.com/advisories/GHSA-6757-jp84-gxfx"
},
{
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyyaml/PYSEC-2020-96.yaml"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7PPAS6C4SZRDQLR7C22A5U3QOLXY33JX"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2"
},
{
"url": "https://github.com/github/advisory-database/pull/4942"
},
{
"url": "https://github.com/yaml/pyyaml/commit/0cedb2a0697b2bc49e4f3841b8d4590b6b15657e"
}
],
"published_at": "2021-04-20T16:14:24Z",
"updated_at": "2024-10-31T16:18:25Z",
"withdrawn_at": null,
"vulnerabilities": [
{
"package": {
"ecosystem": "pip",
"name": "pyyaml"
},
"severity": "critical",
"vulnerable_version_range": ">= 5.1b7, < 5.3.1",
"first_patched_version": {
"identifier": "5.3.1"
}
}
],
"cvss_severities": {
"cvss_v3": {
"vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"score": 9.8
},
"cvss_v4": {
"vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"score": 9.3
}
},
"epss": {
"percentage": 0.02593,
"percentile": 0.84989
},
"cvss": {
"vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"score": 9.8
},
"cwes": [
{
"cwe_id": "CWE-20",
"name": "Improper Input Validation"
}
]
},
"security_vulnerability": {
"package": {
"ecosystem": "pip",
"name": "pyyaml"
},
"severity": "critical",
"vulnerable_version_range": ">= 5.1b7, < 5.3.1",
"first_patched_version": {
"identifier": "5.3.1"
}
},
"url": "https://api.github.com/repos/arthurthlee/testing/dependabot/alerts/10",
"html_url": "https://github.com/arthurthlee/testing/security/dependabot/10",
"created_at": "2025-08-22T17:14:16Z",
"updated_at": "2025-08-22T17:14:16Z",
"dismissed_at": null,
"dismissed_by": null,
"dismissed_reason": null,
"dismissed_comment": null,
"fixed_at": null,
"auto_dismissed_at": null
}

Dependabot Alert #2 - Security vulnerability in pyyaml

Severity: critical
Fixed in: 5.2

More details: Security Advisory

Full Vulnerability Details

{
"number": 2,
"state": "open",
"dependency": {
"package": {
"ecosystem": "pip",
"name": "pyyaml"
},
"manifest_path": "requirements/prd.txt",
"scope": "runtime",
"relationship": "unknown"
},
"security_advisory": {
"ghsa_id": "GHSA-3pqx-4fqf-j49f",
"cve_id": "CVE-2019-20477",
"summary": "Deserialization of Untrusted Data in PyYAML",
"description": "PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.",
"severity": "critical",
"identifiers": [
{
"value": "GHSA-3pqx-4fqf-j49f",
"type": "GHSA"
},
{
"value": "CVE-2019-20477",
"type": "CVE"
}
],
"references": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20477"
},
{
"url": "https://github.com/yaml/pyyaml/blob/master/CHANGES"
},
{
"url": "https://www.exploit-db.com/download/47655"
},
{
"url": "https://github.com/advisories/GHSA-3pqx-4fqf-j49f"
},
{
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyyaml/PYSEC-2020-176.yaml"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/33VBUY73AA6CTTYL3LRWHNFDULV7PFPN"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/52N5XS73Z5S4ZN7I7R56ICCPCTKCUV4H"
}
],
"published_at": "2021-04-20T16:40:42Z",
"updated_at": "2024-10-25T21:15:15Z",
"withdrawn_at": null,
"vulnerabilities": [
{
"package": {
"ecosystem": "pip",
"name": "pyyaml"
},
"severity": "critical",
"vulnerable_version_range": ">= 5.1, < 5.2",
"first_patched_version": {
"identifier": "5.2"
}
}
],
"cvss_severities": {
"cvss_v3": {
"vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"score": 9.8
},
"cvss_v4": {
"vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"score": 9.3
}
},
"epss": {
"percentage": 0.00518,
"percentile": 0.65725
},
"cvss": {
"vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"score": 9.8
},
"cwes": [
{
"cwe_id": "CWE-502",
"name": "Deserialization of Untrusted Data"
}
]
},
"security_vulnerability": {
"package": {
"ecosystem": "pip",
"name": "pyyaml"
},
"severity": "critical",
"vulnerable_version_range": ">= 5.1, < 5.2",
"first_patched_version": {
"identifier": "5.2"
}
},
"url": "https://api.github.com/repos/arthurthlee/testing/dependabot/alerts/2",
"html_url": "https://github.com/arthurthlee/testing/security/dependabot/2",
"created_at": "2025-08-22T17:14:15Z",
"updated_at": "2025-08-22T17:14:15Z",
"dismissed_at": null,
"dismissed_by": null,
"dismissed_reason": null,
"dismissed_comment": null,
"fixed_at": null,
"auto_dismissed_at": null
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependabotopen-sweseverity-critical

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions